Re: NetBSD 10 RFE (ramdisk-cgdroot.fs in boot.cfg)

[Arvind <arvind%protonmail.id@localhost>]

Thank you Martin. Just to provide the larger context of what I am trying to do:

Root Filesystem Encryption (unlock using passphrase) during boot

- I want to achieve this without using a custom kernel. This seems to be possible since the fs ramdisk-cgdroot.fs in boot.cfg(5) obviates the need for a custom kernel module with the ramdisk embedded. However, there is no guidance on this on the wiki/man pages.

- I have a EFI boot partition but also another user defined partition (/xyz) that is not encrypted. I can make this bootable if there’s any utility to doing so.

Once Root Filesystem Encryption is stable (unlock with passphrase during the boot process), I’d like to have the option to perform the passphrase based “unlock” of the root partition via SSH (and subsequently complete the boot process).

-Arvind

On Apr 30, 2024, at 3:48 AM, Martin Husemann <martin%duskware.de@localhost> wrote:

On Mon, Apr 29, 2024 at 07:12:16PM +0000, Arvind wrote:

Sure, was just using the linux remote unlock as an example of what
we're trying to get configured (after encrypting the root partition
with passphrase unlock). Any help from the group would be much
appreciated.

It should be relatively simple to add that to the root partition setup
with a few rc.d scripts and a bit of sshd setup (but there seems to be
no plug+play pkg for it nor a quick howto documentation).

We also should support the auto-booting clevis + tang alternative (but
both lack a pkg and again there should be a short howto documentation).

Has anyone done one or the other and would like to share details?

Martin