Annotation of wikisrc/projects/project/transparent-cgd.mdwn, revision 1.1

1.1     ! dholland    1: [[!template id=project
        !             2: 
        !             3: title="Transparent full-disk encryption"
        !             4: 
        !             5: contact="""
        !             6: [tech-kern](mailto:tech-kern@NetBSD.org)
        !             7: """
        !             8: 
        !             9: category="filesystems"
        !            10: difficulty="medium"
        !            11: duration="2 months"
        !            12: 
        !            13: description="""
        !            14: While currently we have the cgd(4) driver for encrypting disks,
        !            15: setting it up is fairly involved.
        !            16: Furthermore, while it's fairly easy to use it just for /home, in an
        !            17: ideal world the entire disk should be encrypted; this leads to some
        !            18: nontrivial bootstrapping problems.
        !            19: 
        !            20: Develop a scheme for mounting root on cgd that does not require
        !            21: explicit manual setup, that passes cryptographic muster, and that
        !            22: protects everything on the root volume except for what absolutely must
        !            23: be exposed.
        !            24: Implement it.
        !            25: 
        !            26: The following is a non-exhaustive list of issues to consider:
        !            27:  * How should we tell when root should be on cgd (perhaps in boot.cfg?)
        !            28:  * When (and how) do we enter the passphrase needed to mount root (at mount-root time? in the bootloader? after mounting a fake root?)
        !            29:  * Key management for the encryption passphrase
        !            30:  * Where to keep the bootloader and/or kernels
        !            31:  * Should the bootloader be able to read the cgd to get the boot kernel from it?
        !            32:  * If the kernel is not on cgd, should it be signed to allow the bootloader to verify it?
        !            33:  * Integration with sysinst so all you need to do to get FDE is to hit a checkbox
        !            34:  * Perhaps, making it easy or at least reasonably possible to migrate an unencrypted root volume to cgd
        !            35: 
        !            36: Note that while init(8) currently has a scheme for mounting a
        !            37: temporary root and then chrooting to the real root afterwards, it
        !            38: doesn't work all that well.
        !            39: Improving it is somewhat difficult; also, ideally init(8) would be on
        !            40: the encrypted root volume.
        !            41: It would probably be better to support mounting the real root directly
        !            42: on cgd.
        !            43: 
        !            44: Another option is a pivot_root type of operation like Linux has, which
        !            45: allows mounting a fake root first and then shuffling the mount points
        !            46: to move something else into the / position.
        !            47: This has its drawbacks as well, and again ideally there would be no
        !            48: unencrypted fake root volume.
        !            49: 
        !            50: """
        !            51: ]]

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb