Tue, 22 Dec 2015 20:35:39 +0000 Tati Chevron <chev...@swabsit.com> > On Tue, Dec 22, 2015 at 10:20:16PM +0200, li...@wrant.com wrote: > >Tue, 22 Dec 2015 13:36:38 -0500 "Ted Unangst" <t...@tedunangst.com> > >> Tati Chevron wrote: > >> > I have never understood exactly why people have so much difficulty > >> > installing > >> > a recent OpenBSD system on an encrypted partition. > >> > > >> > Basically, you boot bsd.rd as normal, and drop to a shell. > >> > >> Which nobody does for an otherwise normal install. > > > >If you mess the options, you can break out with Ctrl-C and exit with > >Ctrl-D to restart the process. It is still considered a drop to a > >shell, albeit a short and not very productive one. > > > >For an otherwise "normal" install, the entire discussion is not really > >needed. > > Installing on a softraid crypto volume is NEVER going to be a, 'normal' > install. > > Think about it: on a system with one physical disk, (many desktops, and > most laptops), a lot of people lazily make one huge softraid crypto
If a lot of people need and use, as in require, full disk encryption that would be the default, no? > If, on the other hand, you think that having the system files encrypted > prevents modification of them difficult, think again - the bootloader > is unencrypted and could be trojaned easily by anyone with physical > access or who has gained root access over the LAN. You're missing the case when the key is on a (local) removable device, or manually entered sequence, or over a network, including combinations of these. Resemblance to SSH authentication methods? > So the average person installing OpenBSD with, 'full disk encryption', > is gaining virtually nothing by doing that, This is more true than you accent on it, but not by your provided explanation, simply because it's incomplete to be in the installer yet. Ted has a point? > that they couldn't do by > installing the system on an unencrypted partition and using a softraid > volume for their own data storage, and maybe configuration and log files. That's one efficient approach to pick, because you're in control and don't need the wasted cycles on slow systems. In reality you only encrypt a couple of files. There is a certain parallel between encrypting hard disks and hardware raid controllers, and full disk encryption and software raid implementation, no? Remember, some of us are running some 20+ years old machines, embedded systems, and other not that recent processors but still very usable systems, and will do so until they fall apart beyond repair, or they can no longer go through the installer in less than a day.
