From owner-freebsd-geom@FreeBSD.ORG Wed Apr 11 09:08:25 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C1D5106566B for ; Wed, 11 Apr 2012 09:08:25 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id ED9658FC0C for ; Wed, 11 Apr 2012 09:08:24 +0000 (UTC) Received: from vincemacbook.unsane.co.uk (vincemacbook.unsane.co.uk [10.10.10.20]) (authenticated bits=0) by unsane.co.uk (8.14.5/8.14.5) with ESMTP id q3B98N8w068403 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 11 Apr 2012 10:08:23 +0100 (BST) (envelope-from vince@unsane.co.uk) Message-ID: <4F854A07.8030406@unsane.co.uk> Date: Wed, 11 Apr 2012 10:08:23 +0100 From: Vincent Hoffman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 To: Robert Simmons References: <20120410231423.3a45e6d2@gumby.homeunix.com> In-Reply-To: X-Enigmail-Version: 1.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: rwmaillists@googlemail.com, Fa bio , freebsd-geom@freebsd.org Subject: Re: Automatic Geli? X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2012 09:08:25 -0000 On 11/04/2012 00:06, Robert Simmons wrote: > On Tue, Apr 10, 2012 at 6:25 PM, Fa bio wrote: >> Hello! >> >> >> >> The ideia is: you can run the system but you cannot access the sources >> inside it, what is very interesting when you work with PHP, for example. >> >> >> >> So, when machine is off nobody can read data from it because it is encrypted. >> >> >> >> When you turn the machine on it automatically enter a passphase or key >> witch are hidden somewhere that we cannot detect! Amazing! >> >> >> >> My guess is that the keys/passphrase are compiled inside the kernel, so >> itīs quite impossible to access it, but at the same time you can use the >> system! >> >> >> >> I used the system without internet access and it mounted the partition >> ok! Thatīs why I think that the "magic" is in the kernel! >> >> >> >> Any ideas how itīs done? > There are two options: > > 1) The key is in a file on the CD. > > 2) It is using geli onetime. > > The first choice above is stupid. Every copy of the software is > therefore using the same key. If you want to have a key that you > don't enter a passphrase for at boot: create the geli provider > yourself, and have the key on a removable device. When the machine is > booting, the device is available. When it is done, you remove your > device with the key and store it somewhere safe. You can use a USB > drive or a CD for this. > > The second choice above is more likely. The cache software that the > OP mentioned would most likely be best served using geli onetime, > which makes sense. If you want to read about geli onetime check the > man page: > http://www.freebsd.org/cgi/man.cgi?query=geli >From a quick look in the mfsroot this looks likely (08:57:31 ) 0 root@fbsd2 # grep geli /mnt/stand/etc/defaults/rc.conf geli_devices="" geli_tries="" geli_default_flags="" geli_autodetach="YES" geli_swap_flags="-e aes -l 256 -s 4096 -d" Running sysinstall in the /stand dir on the mfsroot gives what i assume is the installer (it was in Portuguese so not certain.) I didnt look further. (to the OP, I just mounted the ISO using mdconfig, gunziped the mfsroot.gz in the boot dir then mounted that mfsroot using mdconfig again.) Vince > _______________________________________________ > freebsd-geom@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@freebsd.org"