tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)


FreeBSD allows encryption of root partition and may be good start.

I have tried that approach about a year ago and successfully performed installation. Also discussed with author, Marc Schiesser, because tutorial should be updated according to FreeBSD 7.x and 8.x versions. I have these notes in my archive.

Basic idea is that:

1- Run fixit disc of FreeBSD which is a live-cd with various FreeBSD (own) utilities. Dont forget to load geom_eli module.

2- Partition the hard drive, and then, create geli slices (partitions).

3- Run sysinstall and address the geli partitions as install target. Everything is isntalled into geli partition.

4- Once finished the work, copy kernel, kernel modules to ie; a usb ram. In other words, prepare boot-only usb disk

5- Once everything is complete, boot from usb. It asks passphrase of geli slice and mounts geli root as root

6- Remove usb ram.


David Brownlee, 03/23/09 18:54:
On Mon, 23 Mar 2009, Todd Vierling wrote:

    I think that would be the ideal case for any mahine which
    doesn't require unattended reboot - the only unencrypted
    data on the disk would be the bootblocks and some cdg config
    (which may well be written into the bootblocks). Once installed
    it should be transparent to the user including updating kernels
    and anything other than bootblocks :)

Home | Main Index | Thread Index | Old Index