Thank you very much. So there is really really no way for the system to retrieve the key stored on the smart card (using GnuPG) at boot in order to decrypt the volumes?
I haven't bought the smartcard yet because I wanted to see first if it was usefull. The one I was planning to buy was en OpenPGP v2 SC: http://shop.kernelconcepts.de/product_info.php?products_id=42 However, I don't know how it is seen by the system and if it would show up as a drive. Anyone in here is using a smart card to decrypt volumes at boot? âThanks!â On Wed, Aug 20, 2014 at 8:13 PM, Ted Unangst <[email protected]> wrote: > On Wed, Aug 20, 2014 at 18:11, Julien Meister wrote: > > Hello everbody, > > > > I'm from FreeBSD and I wanted to give OpenBSD a (new) try. > > > > I would like to have a full disk encryption (as I've seen it's possible > now > > with OpenBSD 5.5) and use a smart card to decrypt the volumes at > > boot, instead of having to type a password, which seems "less secure". > > > > I read a lot of articles to see how it works using bioctl but none are > > talking about using a smart card as a keydisk, only USB drive. > > > > If I understood correctly, when using "bioctl -k /path/of/RAID/keydisk", > > the key is created automatically and the encrypted RAID volume is > > associated to that "USB RAID partition keydisk". So the system can now > > boot only if the BIOS/UEFI finds that particular USB RAID partition. > > > > My questions are: > > > > 1) How to do the same thing using a Smart Card instead of a USB drive? > > > > 2) Is it possible to "copy" the image of the USB key disk to a Smart Card > > (or inversely) to be able to boot using either the USB or the Smart Card? > > > > 3) If the Smart card is used as a key disk to boot the system. Is it > > possible to configure that same smart card to access my home computer > > using SSH? (As if it was ONLY possible to SSH to my computer using that > > smartcard). > > This would depend a lot on your smart card. Does it show up as a disk, > like sd1 or sd2, like USB drives do? If so, then you do exactly what > you'd do with a USB drive. If not, then it's not supported.
