Automatic Geli?
Robert Simmons
rsimmons0 at gmail.com
Tue Apr 10 23:06:14 UTC 2012
On Tue, Apr 10, 2012 at 6:25 PM, Fa bio <fa-h-2007 at hotmail.com> wrote:
>
> Hello!
>
>
>
> The ideia is: you can run the system but you cannot access the sources
> inside it, what is very interesting when you work with PHP, for example.
>
>
>
> So, when machine is off nobody can read data from it because it is encrypted.
>
>
>
> When you turn the machine on it automatically enter a passphase or key
> witch are hidden somewhere that we cannot detect! Amazing!
>
>
>
> My guess is that the keys/passphrase are compiled inside the kernel, so
> it´s quite impossible to access it, but at the same time you can use the
> system!
>
>
>
> I used the system without internet access and it mounted the partition
> ok! That´s why I think that the "magic" is in the kernel!
>
>
>
> Any ideas how it´s done?
There are two options:
1) The key is in a file on the CD.
2) It is using geli onetime.
The first choice above is stupid. Every copy of the software is
therefore using the same key. If you want to have a key that you
don't enter a passphrase for at boot: create the geli provider
yourself, and have the key on a removable device. When the machine is
booting, the device is available. When it is done, you remove your
device with the key and store it somewhere safe. You can use a USB
drive or a CD for this.
The second choice above is more likely. The cache software that the
OP mentioned would most likely be best served using geli onetime,
which makes sense. If you want to read about geli onetime check the
man page:
http://www.freebsd.org/cgi/man.cgi?query=geli
More information about the freebsd-geom
mailing list