Hello,
as our number of FreeBSD servers grows, it get quite tedious to reboot them, because we use GELI / ZFS root disk encryption.
So, rebooting takes attended time to enter the passphrase during boot.
I am playing with different ideas for how to migrate to an unattended disc encryption and would like to have to feedback on following idea:
1. A server will have an unencrypted small root partition to boot from.
2. After init initialised the network, a script retrieves an encryption key from an external source and saves it into a file.
3. Now a script can mount all encrypted volumes with the key. This would include /usr/local, where the main software and configuration for this particular machine is installed. All data should be stored in encrypted volumes too.
4. Init should continue with the /usr/local/etc/rc.d scripts to start all additional services
Questions:
a) What is the best way to "inject" my script into the init script sequence?
b) How would you handle /var/log, which I would like to have encrypted to?
c) Overall idea doable or not? Are there simpler ways?
Looking forward for the discussion!
Waldemar
as our number of FreeBSD servers grows, it get quite tedious to reboot them, because we use GELI / ZFS root disk encryption.
So, rebooting takes attended time to enter the passphrase during boot.
I am playing with different ideas for how to migrate to an unattended disc encryption and would like to have to feedback on following idea:
1. A server will have an unencrypted small root partition to boot from.
2. After init initialised the network, a script retrieves an encryption key from an external source and saves it into a file.
3. Now a script can mount all encrypted volumes with the key. This would include /usr/local, where the main software and configuration for this particular machine is installed. All data should be stored in encrypted volumes too.
4. Init should continue with the /usr/local/etc/rc.d scripts to start all additional services
Questions:
a) What is the best way to "inject" my script into the init script sequence?
b) How would you handle /var/log, which I would like to have encrypted to?
c) Overall idea doable or not? Are there simpler ways?
Looking forward for the discussion!
Waldemar