Serious OpenBSD softraid crypto limitation

Sun, 24 Apr 2011 10:48:34 -0700 

OpenBSD Misc,
I have recently configured an OpenBSD softraid using the following as a guide along with the correct manual pages: http://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption 


The limitation I've noticed is that / is unencrypted which means /etc is 
unencrypted. My first install had the usual partitions on the encrypted 
softraid device: /usr /var /home and /tmp which all in all works out 
pretty well. Then when creating private keys it clicked that they would 
reside in /etc/ssl/private which of course could be moved but I am a 
pretty anal admin who likes things done as those who engineered the 
system intended. It saves trouble doing things that way. Most the stuff 
in /etc is not that important but I take the physical security of the 
machine pretty seriously.



When I read the guide the first time on the first install it mentioned 
creating an /altroot partition and I did but this seems to be for backup 
purposes or something. I can't really tell and I can't seem to find much 
documentation about it. I thought when reading the guide that the root 
partition would switch over to it or something like that. It was pretty 
disappointing when I looked around in the documentation and manual pages 
regarding mount and such and found that I could not modify the 
/bin/decrypt script mentioned in the guide to use mount to switch to 
altroot. I might be wrong and there might just be a flaw in the 
documentation. It would be very good if such a root partition switching 
type thing added as a feature to OpenBSD.



In the meantime I've come up with my own solution for which I 
reinstalled this time creating on the softraid a partition called 
/secetc. Basically using this I can copy things over from /etc to 
/secetc, delete them in /etc, and symlink them over to /secetc. After 
that it is a matter of creating the private keys and things in the new 
locations. A lot can put in that location and can still be found the 
ordinary way. Still it would be much better if: this guide didn't suck, 
and if there was a root switching feature in OpenBSD.


John Tate























					Reply via email to