|
version 1.1, 2015/02/16 05:13:06
|
version 1.2, 2016/07/14 18:27:25
|
|
Line 11 difficulty="medium"
|
Line 11 difficulty="medium"
|
| duration="2 months" |
duration="2 months" |
| |
|
| description=""" |
description=""" |
| While currently we have the cgd(4) driver for encrypting disks, |
While currently we have the [[!template id=man name="cgd" section="4"]] |
| setting it up is fairly involved. |
driver for encrypting disks, setting it up is fairly involved. |
| Furthermore, while it's fairly easy to use it just for /home, in an |
Furthermore, while it's fairly easy to use it just for /home, in an |
| ideal world the entire disk should be encrypted; this leads to some |
ideal world the entire disk should be encrypted; this leads to some |
| nontrivial bootstrapping problems. |
nontrivial bootstrapping problems. |
|
Line 24 be exposed.
|
Line 24 be exposed.
|
| Implement it. |
Implement it. |
| |
|
| The following is a non-exhaustive list of issues to consider: |
The following is a non-exhaustive list of issues to consider: |
| |
|
| * How should we tell when root should be on cgd (perhaps in boot.cfg?) |
* How should we tell when root should be on cgd (perhaps in boot.cfg?) |
| * When (and how) do we enter the passphrase needed to mount root (at mount-root time? in the bootloader? after mounting a fake root?) |
* When (and how) do we enter the passphrase needed to mount root (at mount-root time? in the bootloader? after mounting a fake root?) |
| * Key management for the encryption passphrase |
* Key management for the encryption passphrase |
|
Line 33 The following is a non-exhaustive list o
|
Line 34 The following is a non-exhaustive list o
|
| * Integration with sysinst so all you need to do to get FDE is to hit a checkbox |
* Integration with sysinst so all you need to do to get FDE is to hit a checkbox |
| * Perhaps, making it easy or at least reasonably possible to migrate an unencrypted root volume to cgd |
* Perhaps, making it easy or at least reasonably possible to migrate an unencrypted root volume to cgd |
| |
|
| Note that while init(8) currently has a scheme for mounting a |
Note that while [[!template id=man name="init" section="8"]] currently has a scheme for mounting a |
| temporary root and then chrooting to the real root afterwards, it |
temporary root and then chrooting to the real root afterwards, it |
| doesn't work all that well. |
doesn't work all that well. |
| Improving it is somewhat difficult; also, ideally init(8) would be on |
Improving it is somewhat difficult; also, ideally |
| the encrypted root volume. |
[[!template id=man name="init" section="8"]] |
| |
would be on the encrypted root volume. |
| It would probably be better to support mounting the real root directly |
It would probably be better to support mounting the real root directly |
| on cgd. |
on cgd. |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to transparent-cgd.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / projects / project