Subject: Re: enabling cgd by default
To: None <tech-kern@NetBSD.org>
From: Alan Barrett <apb@cequrux.com>
List: tech-kern
Date: 08/08/2007 09:39:48
On Tue, 07 Aug 2007, Alistair Crooks wrote:
> On Tue, Aug 07, 2007 at 12:26:44PM +0200, Alan Barrett wrote:
> > None of our GENERIC* or INSTALL* kernels include support for cgd (the
> > encrypted disk driver). What is the reason for this (e.g. legal
> > concerns, kernel size concerns, software quality concerns, nobody has
> > got around to enabling it yet)?
>
> In the past, it's been because we don't ship crypto by default,
> just in case it makes it to one of the proscribed countries I
> suppose.
That was true long ago, but nowadays we ship crypto sources and binaries
by default. Most kernels don't have options IPSEC, but a few do; I was
told that the omission was for speed rather than due to legal concerns.
> What do other operating systems do about this?
FreeBSD has gbde(4) and geli(4). Both are shipped as loadable modules,
or can be compiled into a custom kernel.
OpenBSD has crypto in the vnd(4) driver, enabled by default.
I found some web pages that say Linux needs kernel patches, and others
that say you have to load some modules.
--apb (Alan Barrett)