On Sun, Nov 11, 2012 at 11:20:53AM +0000, hepta tor wrote: > On 11/10/12, Barry Grumbine <barry.grumb...@gmail.com> wrote: > > On Fri, Nov 9, 2012 at 7:58 PM, hepta tor <hepta...@gmail.com> wrote: > > Read this thread: > > http://marc.info/?l=openbsd-misc&m=135198427413548&w=2 > > > > run -current. > > Thanks for the pointer. Do you know if there are any guidelines on how > to configure FDE with what's implemented in -current? > At > http://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption > there is a kind of mini tutorial on how to configure softraid for > encryption - does anyone know if this is compatible with what's > implemented in -current? > -h
I'd say this one is better: http://www.undeadly.org/cgi?action=article&sid=20110530221728 (disclaimer: I wrote it :) The article is a bit outdated but generally it should still be valid. Recompiling the kernel to hard-code the root device isn't necessary anymore. In 5.2 (perhaps even 5.1?) the root device will be found automatically if you run installboot on the crypto disk rather than the physical disk. With -current, you could also try to take advantage of the newly added crypto boot feature, but you'll have to use a passphrase instead of a key disk. Such a setup is probably a bit easier to maintain but I haven't tried it myself yet. Note that since the installer cannot install or upgrade such systems without manual intervention, a full disk encryption system is still a rather uncommon experimental setup. I would not recommended it unless you are comfortable with this limitation. At the very least, try to install and upgrade such a system before committing to using it in production. If you've never used softraid crypto before, perhaps encrypting just one partion, such as /home, is easier to get started with.
