From owner-freebsd-hackers@FreeBSD.ORG Wed Aug 23 18:17:06 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55D3E16A4DF for ; Wed, 23 Aug 2006 18:17:06 +0000 (UTC) (envelope-from questions@totaldiver.net) Received: from mail.totaldiver.net (fl-209-26-20-205.sta.embarqhsd.net [209.26.20.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0EF543D6A for ; Wed, 23 Aug 2006 18:17:03 +0000 (GMT) (envelope-from questions@totaldiver.net) Received: from localhost (localhost.totaldiver.net [127.0.0.1]) by mail.totaldiver.net (Postfix) with ESMTP id 97DADC273 for ; Wed, 23 Aug 2006 14:17:07 -0400 (EDT) Received: from mail.totaldiver.net ([127.0.0.1]) by localhost (mail.totaldiver.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60856-01 for ; Wed, 23 Aug 2006 14:17:02 -0400 (EDT) Received: from mail.totaldiver.net (localhost.totaldiver.net [127.0.0.1]) by mail.totaldiver.net (Postfix) with ESMTP id 819B9C1B1 for ; Wed, 23 Aug 2006 14:17:02 -0400 (EDT) Received: from 66.209.36.253 (SquirrelMail authenticated user questions@totaldiver.net) by mail.totaldiver.net with HTTP; Wed, 23 Aug 2006 14:17:02 -0400 (EDT) Message-ID: <54409.66.209.36.253.1156357022.squirrel@mail.totaldiver.net> Date: Wed, 23 Aug 2006 14:17:02 -0400 (EDT) From: "Jeff Palmer" To: hackers@freebsd.org User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: Maia Mailguard Cc: Subject: Geli questions X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 18:17:06 -0000 Hello, Let me preface the email by saying I'm not overly familiar with geli, and it may already have the ability to do what I'm about to describe. The scenario: A FreeBSD based appliance at a customer premise. The customer really can't be trusted not to disasemble the box, and gain knowledge about the box configuration, software, and design. The idea: I'd like to use geli to encrypt *everything* on the disk. So if someone (a competitor maybe) removes the disk from the machine, he can't gain any data off of it easily. I know nothing is 100%, but why make the process easy for him? The problem: I don't want the end user to have to do anything to the box, to have it "come back up" after a reboot/power failure. The goal is an appliance that the client just plugs in, and forgets about it. The plan: the appliance would be persistantly connected to an SSL based VPN server at my central office. (Think OpenVPN server) I'd like a way for geli to encrypt the entire disk, but fetch the key from a server located on the VPN. this would require the appliance to boot up, access the internet (static IP), access the VPN (ssl key'd) and fetch the key that geli needs. Is this currently possible using geli (or even other software that I may not have heard of) or if not, would it be overly difficult to implement? Any feedback or brainstorming would be GREATLY appreciated. DrkShdw @ freenode (##FreeBSD) P.S. Sorry for the cross post from questions@, I realized hackers@ would probably be more suited to this discussion.