On Wednesday 22 March 2017 18:17:12 Jan Betlach wrote: > Solene, Ken, > > thanks a lot for quick responses. Primarily I need to protect the laptop > against losing/stealing it. Therefore FDE would be ideal, however I've red > somewhere that FDE is not officially supported on OpenBSD.
This is inaccurate - amd64 and i386 gained boot support for softraid crypto at the end of 2012 and it has been pretty much supported since then. That said, the installer does not provide support for an FDE configuration, however the steps required to configure it are not overly complex and are documented in the FAQ. > It would probably make sense to combine both - FDE and to have most > sensitive data additionally encrypted using virtual block device (as I do > not need to have these permanently mounted). > > Jan > > On Wed, Mar 22, 2017 at 6:11 PM, Ken <[email protected]> wrote: > > To expand on Solène's reponse. Keep in mind if you need to cover both > > scenarios for whatever your threat-model is... you can do both too. > > > > Another valuable result of FDE is that it helps ensure the integrity > > of your boot drive (presuming your encrypting your boot volume). i.e. > > prevents attacks like the sysadmin sticky-keys "attack" on windows > > boxes. So someone can't just boot and mount the partition and modify > > your shadow file to add a new root user or other backdoor. Good for > > scenarios where physical access isn't necessarily controlled by the > > 3Gs (guards, gates, guns). > > > > In my experience, setting up FDE with OpenBSD has been very easy with > > just a couple of calls to bioctl to set it up. Pretty much seamless if > > you have a quick tutorial on it. > > > > Don't lose your passphrases/keys, and have fun! > > > > On Wed, Mar 22, 2017 at 9:38 AM, Solène Rapenne <[email protected]> wrote: > > > Le 2017-03-22 17:28, Jan Betlach a écrit : > > >> Hi misc, > > >> > > >> planning to install -current on my Thinkpad T450s (SSD). > > >> > > >> I need to have several data directories encrypted, however would not > > > > mind > > > > >> whole-disk encryption. Which method would be more supported / > > > > recommended? > > > > >> Whole-disk encryption or creating a container file, loop device and > > >> then > > >> virtual device with the encryption layer on it? > > >> > > >> Thanks in advance > > >> > > >> Jan > > > > > > Hello Jan, > > > > > > That would depend on your need, do you want to protect against someone > > > who would steal your computer, or against some malicious software > > > running under your system to read your data ? > > > > > > In the first case, you should go with FDE (full disk encryption), your > > > data would be available only after you type the password at boot. > > > > > > In the second case, you should use some kind of encrypted volume that > > > would be available only when you need to. I think that's possible to > > > create an encrypted ffs volume contained into a file, that you can > > > mount when you need. > > > > > > Regards
