From owner-freebsd-questions@FreeBSD.ORG  Sat Dec 18 20:55:15 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E4C71106564A
	for <freebsd-questions@freebsd.org>;
	Sat, 18 Dec 2010 20:55:15 +0000 (UTC)
	(envelope-from cpghost@cordula.ws)
Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com
	[209.85.216.54])
	by mx1.freebsd.org (Postfix) with ESMTP id A8BEF8FC16
	for <freebsd-questions@freebsd.org>;
	Sat, 18 Dec 2010 20:55:15 +0000 (UTC)
Received: by qwj9 with SMTP id 9so1650843qwj.13
	for <freebsd-questions@freebsd.org>;
	Sat, 18 Dec 2010 12:55:14 -0800 (PST)
MIME-Version: 1.0
Received: by 10.229.188.144 with SMTP id da16mr2233700qcb.158.1292704331873;
	Sat, 18 Dec 2010 12:32:11 -0800 (PST)
Received: by 10.229.238.70 with HTTP; Sat, 18 Dec 2010 12:32:11 -0800 (PST)
X-Originating-IP: [93.221.186.103]
Date: Sat, 18 Dec 2010 21:32:11 +0100
Message-ID: <AANLkTikQSdaDeae0gFO1Pu+T8OG-uo3qF4rcmSoG=8kE@mail.gmail.com>
From: "C. P. Ghost" <cpghost@cordula.ws>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: geli(8) and amd(8) working together?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Dec 2010 20:55:16 -0000

Hi,

I'm wondering how to get the most out of geli(8)
encrypted volumes, in combination with something
like amd(8) (but without the overhead of NFS, if at
all possible) that mounts and umounts file systems
only as needed.

Basically, I'd like to mount a geli volume on demand
(e.g. via amd), but when amd umounts the volume for
lack of activity after some time, the geli provider should
also "forget" (overwrite in RAM) the key, i.e. detach itself
from the underlying geom provider.

When amd tries to mount the geli volume again, geli should
then ask for the key again (e.g. on the console).

The idea is to protect geli encrypted partitions that
are idle, so that even if the box is compromized and the
power is maintained (somehow), encrypted partition(s)
would still require a key after being idle for some time.

Any way or ideas how to implement this?

Thanks,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/