Paasword from shsec when booting eli encryptet / ?

[Frank J. Beckmann]

Moin,

am Mittwoch, 28. September 2005 10:43 schrieb Pawel Jakub Dawidek:
> On Tue, Sep 27, 2005 at 01:57:30PM +0200, Frank J. Beckmann wrote:
> +> I start to love the new geom classes, they give me many ideas but also
> rise +> many questions. The man page og geli states that you can encrypt /
> when you +> boot from an USB pen-drive. That mast contain /boot. Does it
> find / or do I +> have to set rootdev in loader.conf?
>
> You need to setup USB boot in BIOS and that's actually all.

None of my computers is able to boot from USB, but thats another problem. I 
hope to get some newer hardware sooner or later...

> It will ask you for the passphrase before root file system is mounted and
> will find root partition in /etc/fstab after decryption.

That is how I understood the man page. But that is no great solution for an 
unattended server.

> +> And is it possible to get the password (or any other needed secret) from
> a +> gshsec device instead of a console prompt?
>
> No.

I guessed you would say that. Would it be possible to mount a shsec device 
readonly like /? The kernel knows how to read an ufs file system else it 
could not boot.

> Currently you can use only passphrase strengthened with PKCS#5v2 for the
> root partition.
> There are no file systems mounted yet, so you cannot get the secret from
> a file. In theory it will be possible to get the secret from a raw device
> (storing info about this in /boot/loader.conf).
> BUT this is hackish and evil, so I'll wait for a better solution.

Where do I have to start looking for an better solution. Could the kernel be 
able to read from something in /dev/ufs?
-- 
Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 479 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20051020/835ffc63/attachment.bin