Re: kfreebsd -- encryption options
Hello, Philipp Martis wrote: > I checked a few other images, namely the daily netboot builds from > 05/12, 05/18, 06/05 and 06/11 (today). They all have the same > problem: "physical volume for encryption" doesn't show up during > partitioning, I should probably write this up in the Wiki... We don't support it yet in the installer, but it is potentially possible, if you install some part that is unencrypted and set up encrypted partitions later. My laptop boots a very small unencrypted root (similar to an initramfs). An early /etc/rcS.d script prompts me to unlock a geli partition, inside which I have a ZFS pool which is mounted after that. The (encrypted) ZFS filesystems can be mounted anywhere - you could encrypt only /home if you prefer - or even over the top of /usr or / (the latter would be similar to doing a pivot_root, which is how full-disk encryption is usually implemented on Linux). Remember to move /lib/modules into /boot in this case, and put a symlink back from /lib/modules -> /boot/modules There are still other ways. Regular OpenSSH can be used for a dropbear-type setup. The FreeBSD kernel has some way to mount an encrypted root partition by itself; and GRUB2 supports encryption and GPG verification of things it loads too. Regards, -- Steven Chamberlain ste...@pyro.eu.org signature.asc Description: Digital signature
Re: kfreebsd -- encryption options
Hi, I checked a few other images, namely the daily netboot builds from 05/12, 05/18, 06/05 and 06/11 (today). They all have the same problem: "physical volume for encryption" doesn't show up during partitioning, neither with crypto-modules-10.3.0-amd64-di, nor with crypto-dm-modules-10.3.0-amd64-di, nor with both loaded. Also, zfs encryption doesn't seem to work (`zfs create -o encryption=on ...` gives "cannot create 'bsdpool/bsdroot': invalid property 'encryption'". Kind regards, Philipp On Fri, 10 Jun 2016 16:12:23 +0200 UTC, Philipp Martis <philipp2...@web.de> wrote: > Hi, > > basically, it should already work out of the box, at least that's how it is > described in the Installation Guide: > https://www.debian.org/releases/stable/kfreebsd-amd64/ch06s03.html.en#partman-crypto > > Unfortunately, it doesn't work, neither with crypto-modules, nor with > dm-crypto-modules, nor with both loaded. > Also, zfs encryption doesn't seem to work. > I tested it with the daily build from today. > Is there any way I could help or could somebody describe a solution to get it > to work? > > Kind regards, > Philipp Martis > > > >To: debian-bsd@lists.debian.org > >Subject: kfreebsd -- encryption options > >From: Andrew McGlashan <andrew.mcglas...@affinityvision.com.au> > >Date: Wed, 30 Mar 2016 11:23:25 +1100 > >Message-id: <56fb1c7d.9070...@affinityvision.com.au> > > > >Hi, > > > >Having a Debian Linux installation with dropbear for pre-boot unlocking > >of encrypted partitions (including root [and everything except for > >/boot] on LVM). The disk partitions actually being mirrors created > >using mdadm (RAID1) and then encrypted using cryptsetup (dm-crypt). > > > >How would one go about getting the same sort of set up in Debian / > >kFreeBSD ? > > > >Thanks > >AndrewMM >
Re: kfreebsd -- encryption options
Hi, basically, it should already work out of the box, at least that's how it is described in the Installation Guide: https://www.debian.org/releases/stable/kfreebsd-amd64/ch06s03.html.en#partman-crypto Unfortunately, it doesn't work, neither with crypto-modules, nor with dm-crypto-modules, nor with both loaded. Also, zfs encryption doesn't seem to work. I tested it with the daily build from today. Is there any way I could help or could somebody describe a solution to get it to work? Kind regards, Philipp Martis >To: debian-bsd@lists.debian.org >Subject: kfreebsd -- encryption options >From: Andrew McGlashan <andrew.mcglas...@affinityvision.com.au> >Date: Wed, 30 Mar 2016 11:23:25 +1100 >Message-id: <56fb1c7d.9070...@affinityvision.com.au> > >Hi, > >Having a Debian Linux installation with dropbear for pre-boot unlocking >of encrypted partitions (including root [and everything except for >/boot] on LVM). The disk partitions actually being mirrors created >using mdadm (RAID1) and then encrypted using cryptsetup (dm-crypt). > >How would one go about getting the same sort of set up in Debian / >kFreeBSD ? > >Thanks >AndrewMM
kfreebsd -- encryption options
Hi, Having a Debian Linux installation with dropbear for pre-boot unlocking of encrypted partitions (including root [and everything except for /boot] on LVM). The disk partitions actually being mirrors created using mdadm (RAID1) and then encrypted using cryptsetup (dm-crypt). How would one go about getting the same sort of set up in Debian / kFreeBSD ? Thanks AndrewMM signature.asc Description: OpenPGP digital signature