In message < http://marc.info/?l=openbsd-misc&m=140146687910205&w=1>,
Ted Unangst wrote:
> If you are using encrypted vnd (vnconfig -k or -K) you will want to
> begin planning your migration strategy.
[[...]]
> WARNING: Encrypted vnd is insecure.
> Migrate your data to softraid before 5.7.
Once this transition happens, what will be the right way to achieve
nested crypto volumes?
That is, with present-day OpenBSD I can have the following:
/home is a softraid-crypto filesystem
managed with 'bioctl -c C' via passphrase #1
/home/me/very-secret is a vnd-crypto filesystem
backed by the files /home/me/very-secret-storage.{salt,data}
managed with 'vnconfig -c -K' via passphrase #2
/home/me/other-secret is a vnd-crypto filesystem
backed by the files /home/me/other-secret-storage.{salt,data}
managed with 'vnconfig -c -K' via passphrase #3
What will be the "right" way to achieve such a nested-encryption setup
once encrypted vnd goes away? Is/will it be safe (i.e., free from
data corruption, deadlock, or other kernel badness) to nest softraid
crypto volumes?
ciao,
--
-- "Jonathan Thornburg [remove -animal to reply]"
<jth...@astro.indiana-zebra.edu>
Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
"There was of course no way of knowing whether you were being watched
at any given moment. How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork. It was even conceivable
that they watched everybody all the time." -- George Orwell, "1984"
