Thanks Ruben, I wasn't aware of installboot until now. I think I'm screwed and didn't think this through properly.
I could make the second disk bootable, but the unlock for it is a passfile residing on the encrypted first disk, and the unlock for the original boot disk is a keyboard-entered passphrase. Looking at the man pages it seems only one unlocking method can be installed on one device, and there's no way to replace a password unlock to a passfile one or vice versa. Conclusion - booting from multiple softraid encrypted drives will never be possible. That's ok. I may have a play around with an unencrypted machine just for interest's sake. ----- Original message ----- From: "Rubén Llorente" <port...@use.startmail.com> To: misc@openbsd.org Cc: doo...@fastmail.net Subject: Re: /altroot with multiple encrypted disks Date: Thursday, 31 October 2024 7:07 PM Phil wrote: > I guess an an appropriate boot block needs to be installed on the second > disk (I don't know how to do that either). Also I would guess /altroot > would need to be temporarily mounted after each backup to swap the > parameters in the "/" and "/altroot" lines. I'm not knowlegeable enough > to think of anything else. > > I might be talking c**p here and this uber-redundancy scenario isn't the > intended way for /altroot to be used. Otherwise I'd be very interested > and grateful to read any ideas anyone has on the subject. > > Phil > I think if you need that sort of redundancy you just use a mirror RAID. Boot encrypted mirror RAID is supported (man boot(() and man bioctl(8)). I suspect you could use installboot(8) on the disk holding your /altroot to make it bootable, but I have never tested such a thing.
