I'm in need of setting up several OpenBSD servers at remote locations.
Each one will have a two-disk softraid(4) RAID 1 with as much as
possible of application data encrypted. The machines will mainly be
serving very large mysql databases, nginx/httpd, transmission and
owncloud.
Since none of the servers have tools for remote administration, my only
option for unlocking any crypto volumes will be over ssh(4). AFAIK that
means I cannot encrypt any parts of the OS itself since all partitions
are required to be present for the OS to be able to boot up to a point
where it can offer sshd(8), right?
That means that encrypted data, which would typically reside in
/var/mysql, /var/www, and /var/transmission, must reside on volumes that
can be unlocked and mounted separately. However, I cannot in advance
predict which "service" will outgrow others first, so I'd like to have
them all on the same volume just like it would have been if I could
simply encrypt one very large /var partition to begin with.
My question: Is it trivial to have mysql, transmission and www to store
all of their data on a separate volume and have it mounted to, let's say
/var/
raid1c/
www/
mysql/
transmission/
while retaining various log and chroot functionality and without
reducing security? Any potential caveats to watch out for?
Erling
