On Mon, Apr 25, 2011 at 03:41:33AM +1000, John Tate wrote: > OpenBSD Misc, > > I have recently configured an OpenBSD softraid using the following > as a guide along with the correct manual pages: > http://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption > > The limitation I've noticed is that / is unencrypted which means > /etc is unencrypted. My first install had the usual partitions on > the encrypted softraid device: /usr /var /home and /tmp which all in > all works out pretty well. Then when creating private keys it > clicked that they would reside in /etc/ssl/private which of course > could be moved but I am a pretty anal admin who likes things done as > those who engineered the system intended. It saves trouble doing > things that way. Most the stuff in /etc is not that important but I > take the physical security of the machine pretty seriously. > > When I read the guide the first time on the first install it > mentioned creating an /altroot partition and I did but this seems to > be for backup purposes or something. I can't really tell and I can't > seem to find much documentation about it. I thought when reading the > guide that the root partition would switch over to it or something > like that. It was pretty disappointing when I looked around in the > documentation and manual pages regarding mount and such and found > that I could not modify the /bin/decrypt script mentioned in the > guide to use mount to switch to altroot. I might be wrong and there > might just be a flaw in the documentation. It would be very good if > such a root partition switching type thing added as a feature to > OpenBSD. > > In the meantime I've come up with my own solution for which I > reinstalled this time creating on the softraid a partition called > /secetc. Basically using this I can copy things over from /etc to > /secetc, delete them in /etc, and symlink them over to /secetc. > After that it is a matter of creating the private keys and things in > the new locations. A lot can put in that location and can still be > found the ordinary way. Still it would be much better if: this guide > didn't suck, and if there was a root switching feature in OpenBSD. > > John Tate >
Support for booting from softraid was just committed to -current. The install scripts still do not provide direct support for creating softraid partitions. .... Ken