On Mon, Feb 17, 2020 at 08:50:14AM +0000, Frank Beuth wrote:
| > > How do you do this on OpenBSD?
| > @frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk
|
| That's telling me how to use a keydisk -- how to put the softraid FDE
| encryption key material on a USB disk.
|
| If an evil made came by and got access to my machine, they would still
| be able to tamper with the bootloader code to harvest the FDE password
| when I returned.
|
| I want to put the whole bootloader (including the code used to decrypt
| the softraid-FDE-encrypted root-partition-containing media) on a USB
| disk.
But you can already do this. If your machine supports booting from
USB, you can do a minimal install to a USB stick (using FDE, if you
want). Now you have a portable OpenBSD environment you can boot on
any system capable of booting from USB (and supporting the same kernel
architecture).
What you can also do with this USB stick is use its bootloader to boot
the OS stored on the disk inside your machine (FDE encrypted or not).
I've used this to fix up installs gone sour on my machines in the
past. Works a treat. I don't use it to prevent the evil maid case
you describe though, but I think it would work just fine.
| This way the evil maid would have nothing to tamper with.
Note that with this approach, a default OpenBSD install to your
machine will still install a bootloader on the physical disk inside
your machine. It's then on you to NOT use that.
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
