Diff for /wikisrc/security/cgdroot.mdwn between versions 1.8 and 1.11

version 1.8, 2017/02/10 10:42:44 version 1.11, 2017/02/10 11:00:40
Line 3  Root filesystem encryption Line 3  Root filesystem encryption
   
 It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. It is named after CGD, the "cryptographic device driver", which implements encryption for storage in the NetBSD kernel.  It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. It is named after CGD, the "cryptographic device driver", which implements encryption for storage in the NetBSD kernel.
   
 Full disk encryption makes it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data.  The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`). Full disk encryption would make it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data.
   
 The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`).  The NetBSD Guide contains [an entire section about CGD][2].
   
 The boot process  The boot process
 ----------------  ----------------
   
 Instead of booting normally the GENERIC kernel and using the root filesystem, a kernel module is loaded at boot-time containing a memory disk. This minimal filesystem image is then considered the actual root filesystem.  Instead of booting the GENERIC kernel normally and using the root filesystem directly as usual, a special kernel module containing a memory disk is loaded at boot-time. This minimal filesystem image will then be the actual root filesystem, where the decryption process takes place.
   
 The boot partition on disk only needs to contain:  The boot partition on disk needs to contain:
   
 * [[!template id=man name="boot" section="8"]], the second-stage bootloader  * [[!template id=man name="boot" section="8"]], the second-stage bootloader
 * [[!template id=man name="boot.cfg" section="5"]], the configuration file for the bootloader (optional)  * [[!template id=man name="boot.cfg" section="5"]], the configuration file for the bootloader (optional)
Line 29  really ran from a chroot in `/altroot`. Line 29  really ran from a chroot in `/altroot`.
 Obtaining the kernel module  Obtaining the kernel module
 ---------------------------  ---------------------------
   
 The `cgdroot.kmod` kernel module is part of the regular NetBSD releases since NetBSD 7.0. It can be found in the `<arch>/installation/miniroot` folder from the release. For instance, for the amd64 architecture on the German mirror for the 7.0.1 release, download it at (ftp://ftp.de.netbsd.org/pub/NetBSD/NetBSD-7.0.1/amd64/installation/miniroot/cgdroot.kmod).  The `cgdroot.kmod` kernel module is part of the regular NetBSD releases since NetBSD 7.0. It can be found in the `<arch>/installation/miniroot` folder from the release. For instance, for the amd64 architecture on the German mirror for the 7.0.1 release, download it at [ftp.de.netbsd.org/pub/NetBSD/NetBSD-7.0.1/amd64/installation/miniroot/cgdroot.kmod](ftp://ftp.de.netbsd.org/pub/NetBSD/NetBSD-7.0.1/amd64/installation/miniroot/cgdroot.kmod).
   
 Configuring the kernel module  Configuring the kernel module
 -----------------------------  -----------------------------
Line 78  References Line 78  References
 ----------  ----------
   
 * [Full Disk Encryption with cgd (well, almost)][1]  * [Full Disk Encryption with cgd (well, almost)][1]
   * [The cryptographic device driver (CGD)][2]
   
 [1]: https://mail-index.netbsd.org/current-users/2013/03/21/msg022311.html "Full Disk Encryption with cgd (well, almost)"  [1]: https://mail-index.netbsd.org/current-users/2013/03/21/msg022311.html "Full Disk Encryption with cgd (well, almost)"
   [2]: http://www.netbsd.org/docs/guide/en/chap-cgd.html "The cryptographic device driver (CGD)"

Removed from v.1.8  
changed lines
  Added in v.1.11


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb