|
version 1.8, 2017/02/10 10:42:44
|
version 1.9, 2017/02/10 10:54:56
|
|
Line 3 Root filesystem encryption
|
Line 3 Root filesystem encryption
|
| |
|
| It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. It is named after CGD, the "cryptographic device driver", which implements encryption for storage in the NetBSD kernel. |
It is possible to run NetBSD with [complete root filesystem encryption][1], thanks to the `cgdroot.kmod` kernel module. It really is a memory disk (also knows as RAM disk) that is expected to be loaded in the kernel while booting. It is named after CGD, the "cryptographic device driver", which implements encryption for storage in the NetBSD kernel. |
| |
|
| Full disk encryption makes it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. |
The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`). Full disk encryption would make it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. |
| |
|
| The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`). |
|
| |
|
| The boot process |
The boot process |
| ---------------- |
---------------- |
| |
|
| Instead of booting normally the GENERIC kernel and using the root filesystem, a kernel module is loaded at boot-time containing a memory disk. This minimal filesystem image is then considered the actual root filesystem. |
Instead of booting the GENERIC kernel normally and using the root filesystem directly as usual, a special kernel module containing a memory disk is loaded at boot-time. This minimal filesystem image will then be the actual root filesystem, where the decryption process takes place. |
| |
|
| The boot partition on disk only needs to contain: |
The boot partition on disk needs to contain: |
| |
|
| * [[!template id=man name="boot" section="8"]], the second-stage bootloader |
* [[!template id=man name="boot" section="8"]], the second-stage bootloader |
| * [[!template id=man name="boot.cfg" section="5"]], the configuration file for the bootloader (optional) |
* [[!template id=man name="boot.cfg" section="5"]], the configuration file for the bootloader (optional) |
![[BACK]](/icons/back.gif){kind=icon}
Return to cgdroot.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security