Date: Wed, 11 Apr 2012 10:08:23 +0100 From: Vincent Hoffman <vince@unsane.co.uk> To: Robert Simmons <rsimmons0@gmail.com> Cc: rwmaillists@googlemail.com, Fa bio <fa-h-2007@hotmail.com>, freebsd-geom@freebsd.org Subject: Re: Automatic Geli? Message-ID: <4F854A07.8030406@unsane.co.uk> In-Reply-To: <CA%2BQLa9AF2DA59XnsvZveZv9LKRnn3EO%2BV5NKqnpCSOeTL58tvA@mail.gmail.com> References: <COL115-W4014B9D06091DFE170C09BA5370@phx.gbl> <20120410231423.3a45e6d2@gumby.homeunix.com> <COL115-W65E46CF80A4ACB0C467E84A5340@phx.gbl> <CA%2BQLa9AF2DA59XnsvZveZv9LKRnn3EO%2BV5NKqnpCSOeTL58tvA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/04/2012 00:06, Robert Simmons wrote: > On Tue, Apr 10, 2012 at 6:25 PM, Fa bio <fa-h-2007@hotmail.com> wrote: >> Hello! >> >> >> >> The ideia is: you can run the system but you cannot access the sources >> inside it, what is very interesting when you work with PHP, for example. >> >> >> >> So, when machine is off nobody can read data from it because it is encrypted. >> >> >> >> When you turn the machine on it automatically enter a passphase or key >> witch are hidden somewhere that we cannot detect! Amazing! >> >> >> >> My guess is that the keys/passphrase are compiled inside the kernel, so >> itīs quite impossible to access it, but at the same time you can use the >> system! >> >> >> >> I used the system without internet access and it mounted the partition >> ok! Thatīs why I think that the "magic" is in the kernel! >> >> >> >> Any ideas how itīs done? > There are two options: > > 1) The key is in a file on the CD. > > 2) It is using geli onetime. > > The first choice above is stupid. Every copy of the software is > therefore using the same key. If you want to have a key that you > don't enter a passphrase for at boot: create the geli provider > yourself, and have the key on a removable device. When the machine is > booting, the device is available. When it is done, you remove your > device with the key and store it somewhere safe. You can use a USB > drive or a CD for this. > > The second choice above is more likely. The cache software that the > OP mentioned would most likely be best served using geli onetime, > which makes sense. If you want to read about geli onetime check the > man page: > http://www.freebsd.org/cgi/man.cgi?query=geli >From a quick look in the mfsroot this looks likely (08:57:31 </mnt/stand/etc/defaults>) 0 root@fbsd2 # grep geli /mnt/stand/etc/defaults/rc.conf geli_devices="" geli_tries="" geli_default_flags="" geli_autodetach="YES" geli_swap_flags="-e aes -l 256 -s 4096 -d" Running sysinstall in the /stand dir on the mfsroot gives what i assume is the installer (it was in Portuguese so not certain.) I didnt look further. (to the OP, I just mounted the ISO using mdconfig, gunziped the mfsroot.gz in the boot dir then mounted that mfsroot using mdconfig again.) Vince > _______________________________________________ > freebsd-geom@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F854A07.8030406>