On 2022-08-06 21:22 EDT, Taylor R Campbell wrote:
To be clear, fidocrypt(1) is not a general-purpose credential manager. A fidocrypt file on disk stores a _single_ secret, which can be opened by any one of the U2F/FIDO devices registered with the file.
Yep, caught that, I was just trying to extrapolate to directly-interactive use cases. A better one, you're right!, upon reflection, would be hardware or software key unlocking of encrypted file systems during boot.
cgdconfig runs early at boot before most file systems are mounted -- often before the file systems on which any packages are installed are mounted. The cgdroot ramdisk, for instance, has a very minimal NetBSD userland in a ramdisk just to configure cgd(4) volumes before mounting the `real' root from them and chrooting into it. fidocrypt could be baked into this ramdisk.
Makes sense to me! (Thanks for entertaining the question.) -- Gabriel Rosenkoetter (he/him) gr%eclipsed.net@localhost
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature