File:  [NetBSD Developer Wiki] / wikisrc / projects / project / transparent-cgd.mdwn
Revision 1.2: download - view: text, annotated - select for diffs
Thu Jul 14 18:27:25 2016 UTC (2 years, 2 months ago) by leot
Branches: MAIN
CVS tags: HEAD
Fix/improve markdown formatting a bit

[[!template id=project

title="Transparent full-disk encryption"

contact="""
[tech-kern](mailto:tech-kern@NetBSD.org)
"""

category="filesystems"
difficulty="medium"
duration="2 months"

description="""
While currently we have the [[!template id=man name="cgd" section="4"]]
driver for encrypting disks, setting it up is fairly involved.
Furthermore, while it's fairly easy to use it just for /home, in an
ideal world the entire disk should be encrypted; this leads to some
nontrivial bootstrapping problems.

Develop a scheme for mounting root on cgd that does not require
explicit manual setup, that passes cryptographic muster, and that
protects everything on the root volume except for what absolutely must
be exposed.
Implement it.

The following is a non-exhaustive list of issues to consider:

 * How should we tell when root should be on cgd (perhaps in boot.cfg?)
 * When (and how) do we enter the passphrase needed to mount root (at mount-root time? in the bootloader? after mounting a fake root?)
 * Key management for the encryption passphrase
 * Where to keep the bootloader and/or kernels
 * Should the bootloader be able to read the cgd to get the boot kernel from it?
 * If the kernel is not on cgd, should it be signed to allow the bootloader to verify it?
 * Integration with sysinst so all you need to do to get FDE is to hit a checkbox
 * Perhaps, making it easy or at least reasonably possible to migrate an unencrypted root volume to cgd

Note that while [[!template id=man name="init" section="8"]] currently has a scheme for mounting a
temporary root and then chrooting to the real root afterwards, it
doesn't work all that well.
Improving it is somewhat difficult; also, ideally
[[!template id=man name="init" section="8"]]
would be on the encrypted root volume.
It would probably be better to support mounting the real root directly
on cgd.

Another option is a pivot_root type of operation like Linux has, which
allows mounting a fake root first and then shuffling the mount points
to move something else into the / position.
This has its drawbacks as well, and again ideally there would be no
unencrypted fake root volume.

"""
]]

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb