tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)

On Mon, Mar 23, 2009 at 9:12 AM, David Brownlee <> 
>        Converting a running system to an encryped filesystem without
>        requiring a dump/restore is a very nice additional feature, but
>        I think NetBSD would really benefit from 'just' the cgd support
>        in the bootblocks and passing the relevant data across to the
>        kernel so it can get a cgd encrypted root filesystem...

Works for workstations, if the bootblocks have passphrase entry (and
better yet, cgd decrypt support to load the kernel itself from an
encrypted root); that would work much like other full-disk encryption

Without something like TPM, doesn't solve the unattended server
problem, though perhaps that does require a more complex solution
(such as a ramdisk or small root partition, over which / is remounted)
to allow the key to be stored in a more flexible manner.

Collectively this sounds more like two projects to me, though the
latter could suffice for both cases, for a first stab at it.  The
latter is also less low-level code and more scripting work (and
perhaps crunchgen for space), which may make multiplatform support
less painful.  Mentors' mileage may vary.

-- Todd Vierling <> <> 

Home | Main Index | Thread Index | Old Index