Hello, I have a usecase for full disk encryption using softraid where the keydisk is placed on the same harddrive as the encrypted partition. This is not for protecting data on the drive in case it gets stolen, but rather to allow for a quick way of making the data unrecoverable (by destroying the keydisk and rebooting).
I am not sure this is even supposed to work, but I have now been trying to make this work for a few hours and am getting pretty strange results. I am currently testing this on a virtual machine which when booted into the installer has a single physical drive: wd0. The way i have been going about this is to start the installer, directly drop to a shell and then do the following: # fdisk -iy wd0 # disklabel -E wd0 Create the following partitions (in this order to make the biggest partition last): wd0b (swap) wd0d (RAID) - keydisk (1M) wd0a (RAID) - the remaining part of the drive that will be encrypted. # bioctl -c C -l /dev/wd0a -k /dev/wd0d softraid0 After this sd0 is created, and i exit back to the installer where i select "install" and answer all the questions as usual. When it asks for a drive I give it "sd0", and use the automatic partition layout inside sd0. Everything looks good at this point, but when rebooting the bootloader stops with the following message: === Using drive 0, partition 3. Loading..... ERR M === If I boot back into the the installer at this point sd0 appears automatically, so even while the bootloader does not like what it finds, the softraid crypto device is able to assemble itself like it is supposed to. This is where it gets really funky. I _have_ been able to get it to work using the following schema: #1. Install the system with only wd0b (swap) and wd0a (RAID) using a passphrase. #2. Reinstall the system and modify the disklabel to look like: wd0b (swap), wd0d (RAID, 1M), wd0a. (Like my original plan). When I do this the system manages to boot without a passphrase, using the encrypted drive. It feels to me like the key is that in the above order, the keydisk (wd0d) will align to the where wd0a with the passphrase was originally. As if there are some remains that makes it possible for the bootloader to locate it or something (that is not overwritten when it is used as the target for the -k argument. Any input on this would be greatly appreaciated! Regards, Patrik Lundin
