--- wikisrc/security/cgdroot.mdwn	2017/02/10 11:08:32	1.13
+++ wikisrc/security/cgdroot.mdwn	2018/01/14 04:12:25	1.15
@@ -19,7 +19,7 @@ The boot partition on disk needs to cont
 * a GENERIC kernel
 * the `cgdroot.kmod` kernel module
 * the configuration file for CGD, `cgd.conf`
-* the encryption key for the volume to start from, named after its partition (like `wd0f`)
+* the CGD parameters file for the volume, named after its partition (like `wd0f`), which determines how the encryption key is derived and verified
 
 Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with [[!template id=man name="cgdconfig" section="8"]]). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and [[!template id=man name="init" section="8"]] is told via [[!template id=man name="sysctl" section="7"]] to chroot into this volume before actually booting. The system then starts normally.
 
@@ -76,6 +76,8 @@ This setup is not entirely safe against 
 
 It is also possible to boot a Xen DOM0 system with root filesystem encryption. However, Xen-enabled NetBSD kernels currently do not support loading modules at boot-time. The memory disk has to be placed directly inside the kernel instead (with [[!template id=man name="mdconfig" section="8"]] or a new kernel configuration).
 
+It should really be possible to install NetBSD this way with [[!template id=man name="sysinst" section="8"]]. Unfortunately this is not supported yet.
+
 References
 ----------