On Tue, Dec 22, 2015 at 10:20:16PM +0200, li...@wrant.com wrote:
Tue, 22 Dec 2015 13:36:38 -0500 "Ted Unangst" <t...@tedunangst.com>
Tati Chevron wrote:
> I have never understood exactly why people have so much difficulty installing
> a recent OpenBSD system on an encrypted partition.
>
> Basically, you boot bsd.rd as normal, and drop to a shell.
Which nobody does for an otherwise normal install.
If you mess the options, you can break out with Ctrl-C and exit with
Ctrl-D to restart the process. It is still considered a drop to a
shell, albeit a short and not very productive one.
For an otherwise "normal" install, the entire discussion is not really
needed.
Installing on a softraid crypto volume is NEVER going to be a, 'normal'
install. Just about any sensible usage of it requires you to sit down
and plan out a partitioning scheme anyway, by which point you might as
well do it all at the command line manually, rather than using the
installer.
Think about it: on a system with one physical disk, (many desktops, and
most laptops), a lot of people lazily make one huge softraid crypto
partition spanning the whole disk, and then proceed to partition that
volume in the same way they would do if they were doing a, 'normal',
installation on a non-encrypted disk.
Why?
Because you want to test the softraid crypto code and the performance
of your hardware to the maximum? Great! That's one genuine use case.
If, on the other hand, you think that having the system files encrypted
prevents modification of them difficult, think again - the bootloader
is unencrypted and could be trojaned easily by anyone with physical
access or who has gained root access over the LAN.
So the average person installing OpenBSD with, 'full disk encryption',
is gaining virtually nothing by doing that, that they couldn't do by
installing the system on an unencrypted partition and using a softraid
volume for their own data storage, and maybe configuration and log files.
Putting a simple option in the installer to build a single softraid
crypto volume spanning the whole disk would just discourage people from
learning how to use it correctly.
--
Tati Chevron
Perl and FORTRAN specialist.
SWABSIT development and migration department.
http://www.swabsit.com
