Re: NetBSD 10 RFE (ramdisk-cgdroot.fs in boot.cfg)

To: netbsd-users%netbsd.org@localhost
Subject: Re: NetBSD 10 RFE (ramdisk-cgdroot.fs in boot.cfg)
From: adr <adr%sdf.org@localhost>
Date: Tue, 30 Apr 2024 10:49:02 +0000 (UTC)

arvind wrote:

Hi friends, hoping someone might be able to help or point in the
right direction. We have a NetBSD 10 machine that requires Root
Filesystem Encryption (unlock using passphrase) during boot. The
man pages are out of date and unfortunately not helpful
(https://wiki.netbsd.org/security/cgdroot/).

We are using UEFI/GPT. We have a boot partition but also another
user defined partition (/backups) that is not encrypted.

Once configured, would also like to add remote ssh unlock using
something like Dropbear. This is the equivalent on the Linux
platform(s):
https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux


Hi Arvind, not what you are asking, but some advise. Identify the
sensible data and encrypt _that_. Use CGD to encrypt real partitions
like home and backup if you like, but you could use vndconfig(8),
it would be easy to migrate in case of need. Writing some scripts
to access that data remotely will be easy. Don't waste time and
resources encrypting sensible data that will be recreated, use ram
disks for that.

adr

Prev by Date: $squid is not set properly
Next by Date: Re: $squid is not set properly
Previous by Thread: Re: NetBSD 10 RFE (ramdisk-cgdroot.fs in boot.cfg)
Next by Thread: OAUTH TOTP
Indexes:

Home | Main Index | Thread Index | Old Index