Diff for /wikisrc/projects/project/transparent-cgd.mdwn between versions 1.1 and 1.2

version 1.1, 2015/02/16 05:13:06 version 1.2, 2016/07/14 18:27:25
Line 11  difficulty="medium" Line 11  difficulty="medium"
 duration="2 months"  duration="2 months"
   
 description="""  description="""
 While currently we have the cgd(4) driver for encrypting disks,  While currently we have the [[!template id=man name="cgd" section="4"]]
 setting it up is fairly involved.  driver for encrypting disks, setting it up is fairly involved.
 Furthermore, while it's fairly easy to use it just for /home, in an  Furthermore, while it's fairly easy to use it just for /home, in an
 ideal world the entire disk should be encrypted; this leads to some  ideal world the entire disk should be encrypted; this leads to some
 nontrivial bootstrapping problems.  nontrivial bootstrapping problems.
Line 24  be exposed. Line 24  be exposed.
 Implement it.  Implement it.
   
 The following is a non-exhaustive list of issues to consider:  The following is a non-exhaustive list of issues to consider:
   
  * How should we tell when root should be on cgd (perhaps in boot.cfg?)   * How should we tell when root should be on cgd (perhaps in boot.cfg?)
  * When (and how) do we enter the passphrase needed to mount root (at mount-root time? in the bootloader? after mounting a fake root?)   * When (and how) do we enter the passphrase needed to mount root (at mount-root time? in the bootloader? after mounting a fake root?)
  * Key management for the encryption passphrase   * Key management for the encryption passphrase
Line 33  The following is a non-exhaustive list o Line 34  The following is a non-exhaustive list o
  * Integration with sysinst so all you need to do to get FDE is to hit a checkbox   * Integration with sysinst so all you need to do to get FDE is to hit a checkbox
  * Perhaps, making it easy or at least reasonably possible to migrate an unencrypted root volume to cgd   * Perhaps, making it easy or at least reasonably possible to migrate an unencrypted root volume to cgd
   
 Note that while init(8) currently has a scheme for mounting a  Note that while [[!template id=man name="init" section="8"]] currently has a scheme for mounting a
 temporary root and then chrooting to the real root afterwards, it  temporary root and then chrooting to the real root afterwards, it
 doesn't work all that well.  doesn't work all that well.
 Improving it is somewhat difficult; also, ideally init(8) would be on  Improving it is somewhat difficult; also, ideally
 the encrypted root volume.  [[!template id=man name="init" section="8"]]
   would be on the encrypted root volume.
 It would probably be better to support mounting the real root directly  It would probably be better to support mounting the real root directly
 on cgd.  on cgd.
   

Removed from v.1.1  
changed lines
  Added in v.1.2


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb