From owner-freebsd-arch@FreeBSD.ORG Tue May 6 13:10:37 2003 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27A5D37B407; Tue, 6 May 2003 13:10:37 -0700 (PDT) Received: from noisebox.cypherpunks.to (adsl-208-201-229-163.sonic.net [208.201.229.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id D991443FAF; Tue, 6 May 2003 13:10:35 -0700 (PDT) (envelope-from shamrock@cypherpunks.to) Received: from VAIO650 (adsl-208-201-229-160.sonic.net [208.201.229.160]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by noisebox.cypherpunks.to (Postfix) with ESMTP id 85F8B10E; Tue, 6 May 2003 13:10:34 -0700 (PDT) From: "Lucky Green" To: Date: Tue, 6 May 2003 13:10:32 -0700 Message-ID: <007901c3140b$8ccbad20$6601a8c0@VAIO650> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: "'Geoffrey T. Falk'" Subject: Putting gbde to use: changes to fstab(5)? X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:10:37 -0000 I believe there is a need for a convention specifying where and how gbde(4)(8) encrypted devices should be listed in system configuration files. I don't hugely care what convention will be chosen is as long as there exists a clear convention that will enable authors to write software that will make it easy to deploy gbde. Background: gbde(4)-encrypted devices need to be attached to the kernel before they can be mounted. Attaching the device requires a password, which can either be automatically generated at boot, as would be in the case for encrypted swap, or has to be supplied by the administrator, typically via ssh, as is typically the case for UFS file systems. Even a partial automation of this process requires a configuration file containing a list of bde gbde(4) devices to be attached, their purpose (swap, UFS), a (potentially implied based on file system type) hint how to obtain the password, the type of the decrypted file system, and the ultimate mount point. In other words, what we need is the information usually found in fstab(5) and a little bit more. The configuration file should contain sufficient information to later on enable the following: - swapon(8): either extend the -a option to encrypt the swap file with a random password if the swap file is marked as to be encrypted in the configuration file or perhaps add a new option to swapon(8) to mount swap devices marked as to be encrypted. - add scripts that are executed, potentially manually, though in come cases as part of an extended boot sequence, after the system has come up in multi-user mode and sshd is running that will obtain the password, fsck the FS, and mount the unencrypted FS. - make other parts of the base OS, such as mount(8) aware of encrypted devices. I suspect the most intuitive approach to creating such a config file would be to make slight extensions to fstab(5), which was the preferred, though not unanimous, method mentioned to me in numerous conversations with current and potential gbde users. However, this carries the risk that software that uses fstab at present may get confused when presented with additional options. However, I don't know how big of problem this would really be in practice. Sooner or later, many of the programs that currently make use of fstab may need to become gbde-aware in some form or another for gbde to achieve its full potential. The absence of a formal way to specify gbde partitions in the config files at the moment has two direct consequences: 1) it is delaying the creation of various automation scripts and potential integration of gbde support with system utilities. 2) informal and not necessarily broadly suitable or compatible conventions are bound to appear. For an example of how one might enable encrypted swap at boot see Geoffrey Falk's sample script archived at http://segment7.net/FreeBSD/encrypted_swap.txt Straw man proposal options: 1) extend fstab(5)'s fs_vfstype field to accept a comma-separated list ("ufs,bde") to indicate that the FS system is gbde-encrypted. 2) extend fs_mntops field instead ("rw,bde"). 3) specify the format for an fstab-like file for bde devices "fstab.bde" My preference is for 1) or 2), because it is the most intuitive solution for your average FreeBSD administrator, but others may be able to think of more/better options. Note that I am not asking to solve the general, and at this time largely undetermined, problem domain of how to specify future gbde-encrypted devices that may not correspond to commonly-used FreeBSD file systems. Thanks for your guidance, --Lucky