|
version 1.6, 2016/06/22 09:02:18
|
version 1.7, 2016/06/22 09:08:50
|
|
Line 3 Root filesystem encryption
|
Line 3 Root filesystem encryption
|
| |
|
| It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. |
It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. |
| |
|
| Full disk encryption makes it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modifiedto send the passphrase away, allowing an attacker with a disk dump to recover the data. |
Full disk encryption makes it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. |
| |
|
| The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`). |
The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`). |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to cgdroot.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security