Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)

[Todd Vierling <tv%netbsd.org@localhost>]

On Mon, Mar 23, 2009 at 12:54 PM, David Brownlee <abs%netbsd.org@localhost> 
wrote:
>> Without something like TPM, doesn't solve the unattended server
>> problem, though perhaps that does require a more complex solution
>> (such as a ramdisk or small root partition, over which / is remounted)
>> to allow the key to be stored in a more flexible manner.

>        Could you clarify how the latter would work - is the intention
>        to allow the system to boot up to a point where the administrator
>        can connect in to finish cgd configuration and remount?

No, it's much more simplistic than that -- storage of a (possibly
partial) key on a removable device so that the machine can fully start
unattended, but only with the extra media device in place.  Sort of a
"poor man's TPM".  This provides some of the benefits of encryption,
such as in-built resistance to media-level data forensics, and
unreadability of the physical disk outside of the machine in which it
was installed.  The idea is to make a common attacker (someone who
might run off with a pulled-out drive) eventually not so common.

I've accomplished the more complicated setup you describe with a
remount of / (done using ssh over Tor, no less) but it's just way too
painful for words.  You'd be better off with a serial-capable BIOS or
a Weasel and ssh'able console server in that case.  (Or as an
alternative, a basic boot system with the base OS to be used at full
runtime, but with /home, most of /var, /tmp, and other writable areas
on a manually mounted cgd; that would not require a remount of /.)

-- 
-- Todd Vierling <tv%duh.org@localhost> <tv%pobox.com@localhost> 
<todd%vierling.name@localhost>