Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)

[David Brownlee <abs%NetBSD.org@localhost>]

On Mon, 23 Mar 2009, Todd Vierling wrote:

> On Mon, Mar 23, 2009 at 12:54 PM, David Brownlee <abs%netbsd.org@localhost> 
> wrote:
> > > Without something like TPM, doesn't solve the unattended server
> > > problem, though perhaps that does require a more complex solution
> > > (such as a ramdisk or small root partition, over which / is remounted)
> > > to allow the key to be stored in a more flexible manner.
>
> >        Could you clarify how the latter would work - is the intention
> >        to allow the system to boot up to a point where the administrator
> >        can connect in to finish cgd configuration and remount?
>
> No, it's much more simplistic than that -- storage of a (possibly
> partial) key on a removable device so that the machine can fully start
> unattended, but only with the extra media device in place.  Sort of a
> "poor man's TPM".  This provides some of the benefits of encryption,
> such as in-built resistance to media-level data forensics, and
> unreadability of the physical disk outside of the machine in which it
> was installed.  The idea is to make a common attacker (someone who
> might run off with a pulled-out drive) eventually not so common.

        Then at the risk of feeping creatures... why can't the boot block
        do that? Either the bootblocks and external config lie on the
        USBkey or similar and then it configures the cgd on the main
        disk and then loads the kernel from it, or the bootblocks can
        read some additional config from the USBkey before mounting
        the main cgd, and even better can pass that extra data across
        to the kernel...

--
                David/absolute       -- www.NetBSD.org: No hype required --