|
version 1.9, 2017/02/10 10:54:56
|
version 1.11, 2017/02/10 11:00:40
|
|
Line 5 It is possible to run NetBSD with [compl
|
Line 5 It is possible to run NetBSD with [compl
|
| |
|
| The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`). Full disk encryption would make it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. |
The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`). Full disk encryption would make it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. |
| |
|
| |
The NetBSD Guide contains [an entire section about CGD][2]. |
| |
|
| The boot process |
The boot process |
| ---------------- |
---------------- |
| |
|
|
Line 27 really ran from a chroot in `/altroot`.
|
Line 29 really ran from a chroot in `/altroot`.
|
| Obtaining the kernel module |
Obtaining the kernel module |
| --------------------------- |
--------------------------- |
| |
|
| The `cgdroot.kmod` kernel module is part of the regular NetBSD releases since NetBSD 7.0. It can be found in the `<arch>/installation/miniroot` folder from the release. For instance, for the amd64 architecture on the German mirror for the 7.0.1 release, download it at (ftp://ftp.de.netbsd.org/pub/NetBSD/NetBSD-7.0.1/amd64/installation/miniroot/cgdroot.kmod). |
The `cgdroot.kmod` kernel module is part of the regular NetBSD releases since NetBSD 7.0. It can be found in the `<arch>/installation/miniroot` folder from the release. For instance, for the amd64 architecture on the German mirror for the 7.0.1 release, download it at [ftp.de.netbsd.org/pub/NetBSD/NetBSD-7.0.1/amd64/installation/miniroot/cgdroot.kmod](ftp://ftp.de.netbsd.org/pub/NetBSD/NetBSD-7.0.1/amd64/installation/miniroot/cgdroot.kmod). |
| |
|
| Configuring the kernel module |
Configuring the kernel module |
| ----------------------------- |
----------------------------- |
|
Line 76 References
|
Line 78 References
|
| ---------- |
---------- |
| |
|
| * [Full Disk Encryption with cgd (well, almost)][1] |
* [Full Disk Encryption with cgd (well, almost)][1] |
| |
* [The cryptographic device driver (CGD)][2] |
| |
|
| [1]: https://mail-index.netbsd.org/current-users/2013/03/21/msg022311.html "Full Disk Encryption with cgd (well, almost)" |
[1]: https://mail-index.netbsd.org/current-users/2013/03/21/msg022311.html "Full Disk Encryption with cgd (well, almost)" |
| |
[2]: http://www.netbsd.org/docs/guide/en/chap-cgd.html "The cryptographic device driver (CGD)" |
![[BACK]](/icons/back.gif){kind=icon}
Return to cgdroot.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security