--- wikisrc/security/cgdroot.mdwn 2016/06/22 09:02:18 1.6 +++ wikisrc/security/cgdroot.mdwn 2016/06/22 09:08:50 1.7 @@ -3,7 +3,7 @@ Root filesystem encryption It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. -Full disk encryption makes it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modifiedto send the passphrase away, allowing an attacker with a disk dump to recover the data. +Full disk encryption makes it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`).