On Sun, Nov 11, 2012 at 11:20:53AM +0000, hepta tor wrote:
> Thanks for the pointer. Do you know if there are any guidelines on how
> to configure FDE with what's implemented in -current?
> At
> http://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption
> there is a kind of mini tutorial on how to configure softraid for
> encryption - does anyone know if this is compatible with what's
> implemented in -current?
Nothing that I'm aware about at the moment. The lack of documentation
had me confused a couple of days, wasting time on old and complicated
approaches (i.e your link above) but thanks to jirib, I managed to get
it working:
---8<---
no, no... make sd0a as RAID partion, do _not_ create sd0b as
swap, then bioctl kung-fu with passphrase, and install onto sd1
as usual. Then I think it would be wise to change
/mnt/etc/sysctl.conf to have this
vm.swapencrypt.enable=0
as sd1 is crypt volume anyway...
After reboot, boot will ask you for passphrase and then normal
boot occurs (yes, boot can access kernel on crypto volume after
passphrase).
Enjoy.
jirib
--->8---
It's real simple. This is what I did. My physical disk is sd0 and I'm
booting bsd.rd from a usb stick at sd1:
Boot from install media and go to shell.
In disklabel, create a single root partition (a) of type RAID that spans
the whole OpenBSD area allocated in fdisk. Don't create swap (b) or any
other partitions.
# bioctl -C force -c C -l /dev/sd0a softraid 0
You'll be asked for passphrase and bioctl will create a crypto volume
at sd2 (since sd0 is my physical disk and sd1 is the usb stick I'm
booting from).
Create the sd2 device so it becomes accessible for the install program:
# cd /dev
# sh ./MAKEDEV sd2
Enter back into the install program:
# cd /
# install
When asked which disk to initialize, select the crupto volume (in my
case sd2).
Follow jirib's advices above.
The new boot code is wonderful. The only thing that is not working is
the option to use a keydisk.
Regards,
Erling
