From owner-freebsd-geom@FreeBSD.ORG Tue Apr 10 23:06:14 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C4F2106564A for ; Tue, 10 Apr 2012 23:06:14 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 439C08FC15 for ; Tue, 10 Apr 2012 23:06:14 +0000 (UTC) Received: by vcmm1 with SMTP id m1so321016vcm.13 for ; Tue, 10 Apr 2012 16:06:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=xO62NEQArtiH7msxTlDaeKmY9Q+sXTdfSuDyM77wJ80=; b=W6x85VaZ99zF+6Eom2ESzJx2WcQEHD14iNwV9R5CGRk6b/SqZiZsa3vr1tlDiijZav UtwFM8RQrUndkGwxbCPLETkVY+0sg7KE7wLn4RKXx7XFqJyfulOUGHroLzBoE271wZ+d sazaadzpnohGyZUd+na1pwGpwlgn4RxE60iAZ9EgxDI4VMJT0T+S9N/rJHwoGpIwLpuQ 9UBnC9Xx5f/UPZL5F5/4ENBeNPtrx7IjeeL6js12O3q9bYAukLvfMjL06cUfdCqzqFAb tYRvyB4h+T0JDrl0oavOA5PBiUhM0R57WS+/VeRAYoAVv7MIsoEozQfAKYi6wizoOovi 6YbA== MIME-Version: 1.0 Received: by 10.52.240.171 with SMTP id wb11mr5419065vdc.106.1334099172108; Tue, 10 Apr 2012 16:06:12 -0700 (PDT) Received: by 10.52.66.239 with HTTP; Tue, 10 Apr 2012 16:06:11 -0700 (PDT) In-Reply-To: References: <20120410231423.3a45e6d2@gumby.homeunix.com> Date: Tue, 10 Apr 2012 19:06:11 -0400 Message-ID: From: Robert Simmons To: Fa bio Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: rwmaillists@googlemail.com, freebsd-geom@freebsd.org Subject: Re: Automatic Geli? X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2012 23:06:14 -0000 On Tue, Apr 10, 2012 at 6:25 PM, Fa bio wrote: > > Hello! > > > > The ideia is: you can run the system but you cannot access the sources > inside it, what is very interesting when you work with PHP, for example. > > > > So, when machine is off nobody can read data from it because it is encryp= ted. > > > > When you turn the machine on it automatically enter a passphase or key > witch are hidden somewhere that we cannot detect! Amazing! > > > > My guess is that the keys/passphrase are compiled inside the kernel, so > it=B4s quite impossible to access it, but at the same time you can use th= e > =A0system! > > > > I used the system without internet access and it mounted the partition > ok! That=B4s why I think that the "magic" is in the kernel! > > > > Any ideas how it=B4s done? There are two options: 1) The key is in a file on the CD. 2) It is using geli onetime. The first choice above is stupid. Every copy of the software is therefore using the same key. If you want to have a key that you don't enter a passphrase for at boot: create the geli provider yourself, and have the key on a removable device. When the machine is booting, the device is available. When it is done, you remove your device with the key and store it somewhere safe. You can use a USB drive or a CD for this. The second choice above is more likely. The cache software that the OP mentioned would most likely be best served using geli onetime, which makes sense. If you want to read about geli onetime check the man page: http://www.freebsd.org/cgi/man.cgi?query=3Dgeli