NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: fresh install, encrypt as much as possible



   I want to do a fresh installation, and encrypt as much as possible.
   Suppose I will have just one filesystem with everything on it.  It seems
   with cgd it is only possible to encrypt certain directories of the root
   filesystem, after NetBSD is already installed, and then restore these
   directories from backup into the newly-created cgd filesystems.  Is
   there a quicker way to do this, like during installation?

   According the guide for cgd, i need to "leave at least the small root
   (/) filesystem unencrypted, in order to load the kernel and run init,
   cgdconfig and the rc.d scripts that configure your cgd."  What is the
   "small root filesystem" that i need to leave unencrypted?

   Thanks


Hello...

I use full disk encryption with cgd on a T530 laptop for work.  In my
particular case, I put the boot disk on an external flash device, a PCI
express card, in fact, but I could have also used a usb stick stuck in a
usb slot.  This external boot disk boots up Xen 4.5 + NetBSD as DOM0.  On
the boot disk is a /etc/rc.d with some highly modified rc scripts that
prompts for the disk key to the hard drive in the laptop, which is fully
encrypted and unbootable.  Once the hard drives "root" filesystem is
mounted under /cryptroot and the modified rc scripts set the init.root
sysctl to /cryptroot and "exits".  This prompts init to do a chroot to
/cryptroot and starts the re-read of the rc scripts all over again.

The boot disk is tiny, just 55MB or so and mostly contains /rescue, with
/bin and /usr/bin symlinked to it.  A /var and /libdata also exists, the
later because any firmware that needs to be loaded will be loaded from the
boot disk and not the chroot filesystem on the hard drive.  A /dev exists,
populated with all of the usual devices.  There are some other stuff like
/stand for modules, and so on.

I suspect that you could also form up a small partition on the hard drive
that wasn't encrypted in much the same manor as I did with my external
boot disk and do the same thing.  In that case, another partition would be
the "crypt" root that was actually encrypted.

The contents of the hard drive was hand populated, as I did not think that
the usual installer could deal with such a set up and I have never really
used it anyway.  Updates are done by compiling up a new system as a
distribution, make a tar ball of the distribution and untar it over the
old with a postinstall run afterwards.  The hard drive cryptroot uses lvm
with just the "root" filesystem outside of the lvm structure.  All of the
other encrypted filesystems are done with lvm.  The reason for this is
that the lvm utilities are not in the /rescue directory on the boot disk
and I would have had to make my boot disk much larger to include them.
The other other trick is that the boot disk can not be updated while
mounted, so actually I have two bootable partitions on the PCI express
device and update the one that isn't being using, switch and update the
other.  This also provides for a backup should something happen.

When I travel or will be away from the system while it is off, I removed
the PCI express card and store it separate from the laptop.

I can probably provide a tar copy of the boot disk, without cgd configs,
of course, if you wish.  It is pretty small.





-- 
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS
http://anduin.eldar.org  - & -  http://anduin.ipv6.eldar.org [IPv6 only]


Home | Main Index | Thread Index | Old Index