[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)
On Mon, Mar 23, 2009 at 9:12 AM, David Brownlee <abs%netbsd.org@localhost>
> Converting a running system to an encryped filesystem without
> requiring a dump/restore is a very nice additional feature, but
> I think NetBSD would really benefit from 'just' the cgd support
> in the bootblocks and passing the relevant data across to the
> kernel so it can get a cgd encrypted root filesystem...
Works for workstations, if the bootblocks have passphrase entry (and
better yet, cgd decrypt support to load the kernel itself from an
encrypted root); that would work much like other full-disk encryption
Without something like TPM, doesn't solve the unattended server
problem, though perhaps that does require a more complex solution
(such as a ramdisk or small root partition, over which / is remounted)
to allow the key to be stored in a more flexible manner.
Collectively this sounds more like two projects to me, though the
latter could suffice for both cases, for a first stab at it. The
latter is also less low-level code and more scripting work (and
perhaps crunchgen for space), which may make multiplatform support
less painful. Mentors' mileage may vary.
-- Todd Vierling <tv%duh.org@localhost> <tv%pobox.com@localhost>
Main Index |
Thread Index |