Discussion
Loading...

Post

Log in
  • About
  • Code of conduct
  • Privacy
  • Users
  • Instances
  • About Bonfire
Sean Eric Fagan
Sean Eric Fagan
@kithrup@wandering.shop  ·  activity timestamp 3 weeks ago

I am contemplating making some of my #FreeBSD datasets encrypted. This is primarily so I could use rsync.net to back them up. Since I don't have physical access to the server, I can't make the root filesystems encrypted -- or can I?

It looks like I should set zfskeys=YES in rc.conf, and then as long as the filesystem keys are in a known location, it'll load them automatically during boot?

  • Copy link
  • Flag this post
  • Block
David Chisnall (*Now with 50% more sarcasm!*)
David Chisnall (*Now with 50% more sarcasm!*)
@david_chisnall@infosec.exchange  ·  activity timestamp 3 weeks ago

@kithrup I don't think you can use rc.conf to control mounting the root FS, it's on the root FS. There is stuff to pass encryption keys from loader to the kernel, which might work, but you'd need to enter a passphrase on the serial console on boot.

The way this is normally done for remote systems (not on FreeBSD) is to have a kernel that boots via secure boot, and then a TPM that releases a key based on the state of the secure-boot attestation.

  • Copy link
  • Flag this comment
  • Block
Sean Eric Fagan
Sean Eric Fagan
@kithrup@wandering.shop  ·  activity timestamp 3 weeks ago

@david_chisnall I don't think my system has TPM, so that'd be out. I was not thinking rc.conf could be used to handle booting, but possibly an extern USB device could have the key. Not hugely thrilled with that, though.

  • Copy link
  • Flag this comment
  • Block

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances
Bonfire social · 1.0.2-alpha.32 no JS en
Federation disabled
Log in
Instance logo
  • Explore
  • About
  • Members
  • Code of Conduct