tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)

On 1237840674 seconds since the Beginning of the UNIX epoch
Jan Danielsson wrote:

>> The cgd parameters could probably even be passed by the boot loader
>> as kernel arguments.  Then this could even work with a generic kernel,
>> and be set up at install time.
>    The cgd parameters contains a salt value. Is it possible to store
>such arguments in a file separated from the kernel? It doesn't seem
>feasible for the user to enter these values manually each boot.

Also, you want to be able to deal with some of the potential
complixity that can be expressed in the parameters file.  One of
the reasons that I specifically did not choose an on the disk format
was so that the file could be extended to do such things as exec'ing
external programs to fetch keys from a central key authority.  Or
talking to an arbitrary number of key servers, etc.

Now, granted, you will not be able to have the boot blocks do most
of the more interesting features that cgdconfig(8) can do because
you lack, well, a kernel, but you do want to at least be able to
accept multiple key generation blocks instead of just a single one.

    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/

Home | Main Index | Thread Index | Old Index