Re: Full Disk Encryption with cgd (well, almost)

To: current-users%netbsd.org@localhost
Subject: Re: Full Disk Encryption with cgd (well, almost)
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Sun, 24 Mar 2013 02:11:29 +0000 (UTC)

                        Hi all,

On Fri, 22 Mar 2013 00:11:35 +0100, Rhialto wrote:
> 
> Is there any particular reason why cgdconfig and /etc/rc are in a
> ramdisk, rather than in the unencrypted /dev/wd0a? A ramdisk makes it so
> much more complicated to update stuff, but it offers no security anyway
> since it is unencrypted itself.

yes, the point is to keep it as generic as likely, without making any 
assumption on the actual boot device. The aim is to get 100% of the disk 
encrypted at some point, which can already be the case when booting from 
a USB memory stick for instance.

As Thor mentioned, it is then simpler to get these two files signed by 
the hardware (if supported). They can even be merged into a single file 
if desired or required.

As for updating stuff, integrating this within the source tree using the 
existing build infrastructure makes it trivial to update. Booting 
manually is rather simple as well (a load + a boot command) and allows 
booting backup versions easily if required.

HTH,
-- 
khorben

References:
- Full Disk Encryption with cgd (well, almost)
  - From: Pierre Pronchery
- Re: Full Disk Encryption with cgd (well, almost)
  - From: Rhialto

Prev by Date: Automated report: NetBSD-current/i386 build failure
Next by Date: daily CVS update output
Previous by Thread: Re: Full Disk Encryption with cgd (well, almost)
Next by Thread: daily CVS update output
Indexes:

Home | Main Index | Thread Index | Old Index