To expand on Solène's reponse. Keep in mind if you need to cover both scenarios for whatever your threat-model is... you can do both too.
Another valuable result of FDE is that it helps ensure the integrity of your boot drive (presuming your encrypting your boot volume). i.e. prevents attacks like the sysadmin sticky-keys "attack" on windows boxes. So someone can't just boot and mount the partition and modify your shadow file to add a new root user or other backdoor. Good for scenarios where physical access isn't necessarily controlled by the 3Gs (guards, gates, guns). In my experience, setting up FDE with OpenBSD has been very easy with just a couple of calls to bioctl to set it up. Pretty much seamless if you have a quick tutorial on it. Don't lose your passphrases/keys, and have fun! On Wed, Mar 22, 2017 at 9:38 AM, Solène Rapenne <sol...@perso.pw> wrote: > Le 2017-03-22 17:28, Jan Betlach a écrit : >> >> Hi misc, >> >> planning to install -current on my Thinkpad T450s (SSD). >> >> I need to have several data directories encrypted, however would not mind >> whole-disk encryption. Which method would be more supported / recommended? >> Whole-disk encryption or creating a container file, loop device and then >> virtual device with the encryption layer on it? >> >> Thanks in advance >> >> Jan > > > Hello Jan, > > That would depend on your need, do you want to protect against someone > who would steal your computer, or against some malicious software > running under your system to read your data ? > > In the first case, you should go with FDE (full disk encryption), your > data would be available only after you type the password at boot. > > In the second case, you should use some kind of encrypted volume that > would be available only when you need to. I think that's possible to > create an encrypted ffs volume contained into a file, that you can > mount when you need. > > Regards
