From owner-freebsd-questions@FreeBSD.ORG Wed Aug 23 17:44:40 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46C5F16A4DA for ; Wed, 23 Aug 2006 17:44:40 +0000 (UTC) (envelope-from questions@totaldiver.net) Received: from mail.totaldiver.net (fl-209-26-20-205.sta.embarqhsd.net [209.26.20.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9193243D55 for ; Wed, 23 Aug 2006 17:44:39 +0000 (GMT) (envelope-from questions@totaldiver.net) Received: from localhost (localhost.totaldiver.net [127.0.0.1]) by mail.totaldiver.net (Postfix) with ESMTP id 54138C273 for ; Wed, 23 Aug 2006 13:44:43 -0400 (EDT) Received: from mail.totaldiver.net ([127.0.0.1]) by localhost (mail.totaldiver.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60139-08 for ; Wed, 23 Aug 2006 13:44:39 -0400 (EDT) Received: from mail.totaldiver.net (localhost.totaldiver.net [127.0.0.1]) by mail.totaldiver.net (Postfix) with ESMTP id D37F4C1AA for ; Wed, 23 Aug 2006 13:44:38 -0400 (EDT) Received: from 66.209.36.253 (SquirrelMail authenticated user questions@totaldiver.net) by mail.totaldiver.net with HTTP; Wed, 23 Aug 2006 13:44:38 -0400 (EDT) Message-ID: <54380.66.209.36.253.1156355078.squirrel@mail.totaldiver.net> Date: Wed, 23 Aug 2006 13:44:38 -0400 (EDT) From: "Jeff Palmer" To: questions@FreeBSD.org User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: Maia Mailguard Cc: Subject: Geli questions.. ponderings.. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 17:44:40 -0000 Hello, Let me preface the email by saying I'm not overly familiar with geli, and it may already have the ability to do what I'm about to describe. The scenario: A FreeBSD based appliance at a customer premise. The customer really can't be trusted not to disasemble the box, and gain knowledge about the box configuration, software, and design. The idea: I'd like to use geli to encrypt *everything* on the disk. So if someone (a competitor maybe) removes the disk from the machine, he can't gain any data off of it easily. I know nothing is 100%, but why make the process easy for him? The problem: I don't want the end user to have to do anything to the box, to have it "come back up" after a reboot/power failure. The goal is an appliance that the client just plugs in, and forgets about it. The plan: the appliance would be persistantly connected to an SSL based VPN server at my central office. (Think OpenVPN server) I'd like a way for geli to encrypt the entire disk, but fetch the key from a server located on the VPN. this would require the appliance to boot up, access the internet (static IP), access the VPN (ssl key'd) and fetch the key that geli needs. Is this currently possible using geli (or even other software that I may not have heard of) or if not, would it be overly difficult to implement? Any feedback or brainstorming would be GREATLY appreciated. DrkShdw @ freenode (##FreeBSD)