--- wikisrc/security/cgdroot.mdwn 2017/02/10 10:54:56 1.9 +++ wikisrc/security/cgdroot.mdwn 2017/02/10 10:55:36 1.10 @@ -5,6 +5,8 @@ It is possible to run NetBSD with [compl The mechanism described here still requires one unencrypted partition to boot from (typically `wd0a`). Full disk encryption would make it more difficult for an attacker to modify the unencrypted part of the disk to plant a backdoor. With only partial encryption, the original [[!template id=man name="cgdconfig" section="8"]] binary may be modified to send the passphrase away, allowing an attacker with a disk dump to recover the data. +The NetBSD Guide contains [an entire section about CGD][2]. + The boot process ---------------- @@ -76,5 +78,7 @@ References ---------- * [Full Disk Encryption with cgd (well, almost)][1] +* [The cryptographic device driver (CGD)][2] [1]: https://mail-index.netbsd.org/current-users/2013/03/21/msg022311.html "Full Disk Encryption with cgd (well, almost)" +[2]: http://www.netbsd.org/docs/guide/en/chap-cgd.html "The cryptographic device driver (CGD)"