I think it would make sense to be able to do this. I have a scenario where I would like to install OpenBSD on a remote machine with a customized bsd.rd in order to automatically set it all up, feeding a password into the stdin of bioctl..
Now, bioctl doesn't allow hashed password to be fed into it (as opposed to the encrypt command which does for user logins and auto_install) This leaves me with only one choice, to feed a password into bioctl in order to set up the fully encrypted drive, and then change the password with bioctl -P afterwards.. Only problem with that is just what was said.. the original password could still be used to decrypt the partitions as the keydisk hasn't changed. -------- Original Message -------- Subject: Re: "bioctl -P" is to change passphrase without wiping the encrypted partition's contents. How do you generate a new keydisk without wipingthesame? Local Time: November 20 2015 7:03 pm UTC Time: November 20 2015 7:03 pm From: [email protected] To: [email protected] CC: [email protected],[email protected] Tinker wrote: > Aha. > > *Is* the keydisk the master key, and hence can't be changed? The keydisk is the mask for the master key. It can (in theory) be changed like changing a password. Really, the key disk is just a prehashed password. > > > Very low priority topic: > > What about implementing some routine for regenerating the master key, > even if that would imply reprocessing *all* of the disk's contents? > > That could be beneficial in a place where you don't have the space to > backup 100% of the disk as to start over. You could, but you'd be really screwed if you crashed halfway. I don't think the kernel can/should do this, but it is not impossible for a userland utility to manipulate softraid partitions.
