Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Full Disk Encryption with cgd (well, almost)

                        Hi all,

On Fri, 22 Mar 2013 00:11:35 +0100, Rhialto wrote:
> Is there any particular reason why cgdconfig and /etc/rc are in a
> ramdisk, rather than in the unencrypted /dev/wd0a? A ramdisk makes it so
> much more complicated to update stuff, but it offers no security anyway
> since it is unencrypted itself.

yes, the point is to keep it as generic as likely, without making any 
assumption on the actual boot device. The aim is to get 100% of the disk 
encrypted at some point, which can already be the case when booting from 
a USB memory stick for instance.

As Thor mentioned, it is then simpler to get these two files signed by 
the hardware (if supported). They can even be merged into a single file 
if desired or required.

As for updating stuff, integrating this within the source tree using the 
existing build infrastructure makes it trivial to update. Booting 
manually is rather simple as well (a load + a boot command) and allows 
booting backup versions easily if required.


Home | Main Index | Thread Index | Old Index