On 24/04/2011, John Tate <john-li...@johntate.org> wrote: > OpenBSD Misc, > > I have recently configured an OpenBSD softraid using the following as a > guide along with the correct manual pages: > http://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption > > The limitation I've noticed is that / is unencrypted which means /etc is > unencrypted. My first install had the usual partitions on the encrypted > softraid device: /usr /var /home and /tmp which all in all works out > pretty well. Then when creating private keys it clicked that they would > reside in /etc/ssl/private which of course could be moved but I am a > pretty anal admin who likes things done as those who engineered the > system intended. It saves trouble doing things that way. Most the stuff > in /etc is not that important but I take the physical security of the > machine pretty seriously. > > When I read the guide the first time on the first install it mentioned > creating an /altroot partition and I did but this seems to be for backup > purposes or something. I can't really tell and I can't seem to find much > documentation about it. I thought when reading the guide that the root > partition would switch over to it or something like that. It was pretty > disappointing when I looked around in the documentation and manual pages > regarding mount and such and found that I could not modify the > /bin/decrypt script mentioned in the guide to use mount to switch to > altroot. I might be wrong and there might just be a flaw in the > documentation. It would be very good if such a root partition switching > type thing added as a feature to OpenBSD.
man daily > In the meantime I've come up with my own solution for which I > reinstalled this time creating on the softraid a partition called > /secetc. Basically using this I can copy things over from /etc to > /secetc, delete them in /etc, and symlink them over to /secetc. After > that it is a matter of creating the private keys and things in the new > locations. A lot can put in that location and can still be found the > ordinary way. Still it would be much better if: this guide didn't suck, > and if there was a root switching feature in OpenBSD. You're complainig in the wrong place. The default position around here is to avoid "HOWTO" guides and stick to the project's documentation and mailing lists. If you search the misc and tech archives you'll find answers to your questions/suggestions re: encrypted root partitions.
