I have 7.6-current/#394 installed on a Lenovo ThinkPad L570 containing two disks which I've configured based on ramblings I read in a few different online posts.
sd0 - 500GB sd1 - 2TB sd0 is softraid0 encrypted and holds the entire base system, mounted on sd2a through sd2l. sd1 is also softraid0 encrypted and has two partitions... sd3a: /altroot sd3l: /data I've added two lines to the default fstab... 37ce80072f532bd0.a /altroot ffs xx 0 0 37ce80072f532bd0.l /data ffs rw,softdep,noatime,sosuid,noauto 1 0 /etc/rc.securelevel looks like this... #!/bin/sh # decrypt second disk (partiton sd1a) with key file bioctl -c C -p /home/disk.key -l 9e0f8de098bcbba0.a softraid0 # run fsck on sd3l and mount it under /data fsck -p 37ce80072f532bd0.l && mount 37ce80072f532bd0.l /etc/rc.shutdown looks like this... #!/bin/sh # unmount decrypted partition sd3l from /data umount -f 37ce80072f532bd0.l # detach (re-encrypt) disk sd1 bioctl -d 37ce80072f532bd0 It all works beautifully. Rock solid, as everything about openbsd seems to be. I have two questions. 1. Is there any advantage in using rc.securelevel over rc.local, which seems to work just as well? 2. Are there any issues with /altroot being mounted in an encrypted container? Ideally I think I should be able to tell my bios to boot disk sd1 and use /altroot as the live root partition. The FAQ glibly says... "Generally, you will want your /altroot partition to be on a different disk that has been configured to be fully bootable should the primary disk fail." ...but I've yet to find a syllable anywhere explaining how to achieve that, even on unencrypted systems. I guess an an appropriate boot block needs to be installed on the second disk (I don't know how to do that either). Also I would guess /altroot would need to be temporarily mounted after each backup to swap the parameters in the "/" and "/altroot" lines. I'm not knowlegeable enough to think of anything else. I might be talking c**p here and this uber-redundancy scenario isn't the intended way for /altroot to be used. Otherwise I'd be very interested and grateful to read any ideas anyone has on the subject. Phil
