Date: Sun, 18 Jan 2004 23:13:12 +0100 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Allan Fields <bsd@afields.ca> Cc: phk@FreeBSD.org Subject: Re: Status GBDE attach at boot Message-ID: <20040118221311.GK761@arthur.nitro.dk> In-Reply-To: <20040118151931.GJ34696@afields.ca> References: <20040117195358.GH34696@afields.ca> <20040118134341.GB761@arthur.nitro.dk> <20040118151931.GJ34696@afields.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--hnsKUeImFCk/igEn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.01.18 10:19:31 -0500, Allan Fields wrote: > On Sun, Jan 18, 2004 at 02:43:42PM +0100, Simon L. Nielsen wrote: > > On 2004.01.17 14:53:58 -0500, Allan Fields wrote: > > > Hi, > > >=20 > > > I'm interested to know what may be in the pipeline as far as GBDE > > > boot time attach/automation support. Has anyone committed to > > > implementing these features? (I don't see it anymore (on the 5.3 > > > todo list) in releng pages.) > >=20 > > 5.2 already has support for attaching GBDE volumes at boot by using the > > /etc/rc.d/gbde script. I have been using it for a while, and it works > > OK. >=20 > Ahh.. ok, didn't see the changes yet. That is a straight forward > approach - could there just as easily be a similar facility for other > geoms? That shouldn't be a problem... of course depending on exactly you want to configure it might be more or less simple to do. The dependency tree for the rc system can make the script start when needed in the boot sequence without any hacks. Of course the issue of how to set user configuration still exists (as discussed a few times before on the lists), since rc.conf can fast become very cluttered. > > I sent a patch yesterday to the freebsd-rc mailing list make the gbde > > rc.d script work a bit better (see > > http://groups.yahoo.com/group/FreeBSD-rc/message/659 ). > >=20 > > > As a fstab is concerned with mount hack, this is the right approach > >=20 > > I think it's better to just use a rc.d script to attach gbde volumes > > before the normal filesystem mount, since it seems more "clean". Of >=20 > This is good including specifying lockfile dir, but implies passphrase > entry before continuing on always the console? This is the way it works now, but this could be extended. I'm mainly using gbde to encrypt /home on desktops, so asking the password on the console works fine for me. > Which brings us to passphrase from file/filedesc issue vs. from tty > / on command line. Could password prompts be read from another > terminal or from secure source like key device or remote terminal > while the booting continues in the mean-time? I don't see any reason why not, if the "connection" is secure, but I haven't looked into this (since I haven't had the need to) so I'm not exactly sure what kind of problems there are (both programming and security issues). > > course the rc.d script could be enhanced e.g. to support random keys, > > like your "temp" feature. >=20 > Yup. Idea was raised previously on the lists by lucky and phk. > Seems like a good idea for swap,/tmp setup. I actually have an rc.d script by Geoffrey T. Falk <gtf@cirp.org>, which was posted to some mailing list a few months ago, for gbde swap with random password, but since it confuses the crashdump system I'm not using it right now. --=20 Simon L. Nielsen FreeBSD Documentation Team --hnsKUeImFCk/igEn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFACwT3h9pcDSc1mlERAip/AJ95EjaZvBY0FSD5/EnGAM6i8Kjh9wCeKs+R j+3DOeyjISSmkxQH6fPSBa8= =6wGa -----END PGP SIGNATURE----- --hnsKUeImFCk/igEn--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040118221311.GK761>