|
version 1.7, 2016/06/22 09:08:50
|
version 1.8, 2017/02/10 10:42:44
|
|
Line 1
|
Line 1
|
| Root filesystem encryption |
Root filesystem encryption |
| ========================== |
========================== |
| |
|
| It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. |
It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. It is named after CGD, the "cryptographic device driver", which implements encryption for storage in the NetBSD kernel. |
| |
|
| Full disk encryption makes it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. |
Full disk encryption makes it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. |
| |
|
|
Line 18 The boot partition on disk only needs to
|
Line 18 The boot partition on disk only needs to
|
| * [[!template id=man name="boot.cfg" section="5"]], the configuration file for the bootloader (optional) |
* [[!template id=man name="boot.cfg" section="5"]], the configuration file for the bootloader (optional) |
| * a GENERIC kernel |
* a GENERIC kernel |
| * the `cgdroot.kmod` kernel module |
* the `cgdroot.kmod` kernel module |
| * configuration and encryption key for the encrypted volume to start from (`cgd.conf`) |
* the configuration file for CGD, `cgd.conf` |
| |
* the encryption key for the volume to start from, named after its partition (like `wd0f`) |
| |
|
| Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with [[!template id=man name="cgdconfig" section="8"]]). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and [[!template id=man name="init" section="8"]] is told via [[!template id=man name="sysctl" section="7"]] to chroot into this volume before actually booting. The system then starts normally. |
Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with [[!template id=man name="cgdconfig" section="8"]]). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and [[!template id=man name="init" section="8"]] is told via [[!template id=man name="sysctl" section="7"]] to chroot into this volume before actually booting. The system then starts normally. |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to cgdroot.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security