geli(8) and amd(8) working together?

C. P. Ghost cpghost at
Sat Dec 18 20:55:16 UTC 2010


I'm wondering how to get the most out of geli(8)
encrypted volumes, in combination with something
like amd(8) (but without the overhead of NFS, if at
all possible) that mounts and umounts file systems
only as needed.

Basically, I'd like to mount a geli volume on demand
(e.g. via amd), but when amd umounts the volume for
lack of activity after some time, the geli provider should
also "forget" (overwrite in RAM) the key, i.e. detach itself
from the underlying geom provider.

When amd tries to mount the geli volume again, geli should
then ask for the key again (e.g. on the console).

The idea is to protect geli encrypted partitions that
are idle, so that even if the box is compromized and the
power is maintained (somehow), encrypted partition(s)
would still require a key after being idle for some time.

Any way or ideas how to implement this?


Cordula's Web.

More information about the freebsd-questions mailing list