Diff for /wikisrc/security/cgdroot.mdwn between versions 1.13 and 1.16

version 1.13, 2017/02/10 11:08:32 version 1.16, 2018/02/23 17:19:02
Line 1 Line 1
 Root filesystem encryption  [[!meta title="Root Filesystem Encryption"]]
 ==========================  
   
 It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. It is named after CGD, the "cryptographic device driver", which implements encryption for storage in the NetBSD kernel.  It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. It is named after CGD, the "cryptographic device driver", which implements encryption for storage in the NetBSD kernel.
   
Line 19  The boot partition on disk needs to cont Line 18  The boot partition on disk needs to cont
 * a GENERIC kernel  * a GENERIC kernel
 * the `cgdroot.kmod` kernel module  * the `cgdroot.kmod` kernel module
 * the configuration file for CGD, `cgd.conf`  * the configuration file for CGD, `cgd.conf`
 * the encryption key for the volume to start from, named after its partition (like `wd0f`)  * the CGD parameters file for the volume, named after its partition (like `wd0f`), which determines how the encryption key is derived and verified
   
 Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with [[!template id=man name="cgdconfig" section="8"]]). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and [[!template id=man name="init" section="8"]] is told via [[!template id=man name="sysctl" section="7"]] to chroot into this volume before actually booting. The system then starts normally.  Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with [[!template id=man name="cgdconfig" section="8"]]). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and [[!template id=man name="init" section="8"]] is told via [[!template id=man name="sysctl" section="7"]] to chroot into this volume before actually booting. The system then starts normally.
   
Line 76  This setup is not entirely safe against  Line 75  This setup is not entirely safe against 
   
 It is also possible to boot a Xen DOM0 system with root filesystem encryption. However, Xen-enabled NetBSD kernels currently do not support loading modules at boot-time. The memory disk has to be placed directly inside the kernel instead (with [[!template id=man name="mdconfig" section="8"]] or a new kernel configuration).  It is also possible to boot a Xen DOM0 system with root filesystem encryption. However, Xen-enabled NetBSD kernels currently do not support loading modules at boot-time. The memory disk has to be placed directly inside the kernel instead (with [[!template id=man name="mdconfig" section="8"]] or a new kernel configuration).
   
   It should really be possible to install NetBSD this way with [[!template id=man name="sysinst" section="8"]]. Unfortunately this is not supported yet.
   
 References  References
 ----------  ----------
   

Removed from v.1.13  
changed lines
  Added in v.1.16


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb