Geli questions

[Jeff Palmer]

Hello,


Let me preface the email by saying I'm not overly familiar with geli,  and
it may already have the ability to do what I'm about to describe.

The scenario:   A FreeBSD based appliance at a customer premise.  The
customer really can't be trusted not to disasemble the box,  and gain
knowledge about the box configuration, software, and design.

The idea:  I'd like to use geli to encrypt *everything* on the disk.  So
if someone (a competitor maybe) removes the disk from the machine,   he
can't gain any data off of it easily.  I know nothing is 100%,  but why
make the process easy for him?

The problem:  I don't want the end user to have to do anything to the box,
  to have it "come back up" after a reboot/power failure.   The goal is an
appliance that the client just plugs in,  and forgets about it.

The plan:  the appliance would be persistantly connected to an SSL based
VPN server at my central office. (Think OpenVPN server)  I'd like a way
for geli to encrypt the entire disk,  but fetch the key from a server
located on the VPN.  this would require the appliance to boot up,  access
the internet (static IP), access the VPN (ssl key'd) and fetch the key
that geli needs.

Is this currently possible using geli (or even other software that I may
not have heard of)  or if not,   would it be overly difficult to
implement?


Any feedback or brainstorming would be GREATLY appreciated.


DrkShdw @ freenode (##FreeBSD)

P.S.  Sorry for the cross post from questions@,   I realized hackers@
would probably be more suited to this discussion.