On Tue, 23 Oct 2001, Bill Stewart wrote:
At 01:38 PM 10/23/2001 +1000, zem wrote:
On 23 Oct 2001, Dr. Evil wrote:
vnconfig -ck svnd0 diskimage
I don't have a BSD system around to check - what does this approach do?
Create a loopback device. "-k" means encrypt - cipher is blowfish, there's no way to change it. After vnconfig, /dev/svnd0 becomes a block device; use newfs and mount as with any partition. Here's the man page: http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig
Is Dr. Evil's concern with loopback just the speed? (Plus the ugly minimal user interface, which is a job for a script.) Machines are enough faster these days that I'd think the only places that's a big hit, other than database apps, are swap space, and you can mostly fix that by buying enough RAM.
The performance hit is acceptable, it's much faster than CFS. OpenBSD's encrypted swap uses the same mechanism.
It's worth noting their primary goal is network security, not crypto. Rubber hoses don't factor significantly in their threat model.
Laptop theft belongs in *most* security models.
Agreed. -- mailto:zem@zip.com.au F289 2BDB 1DA0 F4C4 DC87 EC36 B2E3 4E75 C853 FD93 http://zem.squidly.org/ "I'm invisible, I'm invisible, I'm invisible.."