Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)

[Thor Lancelot Simon <tls%rek.tjls.com@localhost>]

On Mon, Mar 23, 2009 at 05:49:15PM +0000, David Brownlee wrote:
>
>       Then at the risk of feeping creatures... why can't the boot block
>       do that? Either the bootblocks and external config lie on the

It can, I think -- at the cost of keeping the kernel-to-boot on the USB
key.  This isn't a "pivot root" setup, it's more like booting from the
network but using a local filesystem -- the kernel needs to be told to
run a mountroothook which sets up the cgd with the specified key, and
to use it as root.

You probably need to ensure, somehow, that the USB key can be neither
read nor written while the system is up.

Thor