> On Linux you can do the following:
> Hard drive:
> { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive entirely 
> encrypted] }
> Then the only parts of the (x64) computer that are unencrypted are the BIOS 
> and GRUB.

This is how it already does it with the exception that the unencrypted
data are not in a regular partition. Instead the unencrypted
bootloader exists within the space allocated for the disklabel (and
the MBR on x86) which then locates and decrypts the partition
containing the kernel.

> You can then move the GRUB offline if you wish, execute it externally.
> Is something like this possible on OpenBSD?

I have briefly looked into locating the unencrypted parts of OpenBSD's
bootloader on a seperate detachable disc, as I had managed to cobble
together previously, but the kernel is told where its root partition
is in quite a different way from Linux and I decided I didn't want
to trawl through x86 real mode assembly any more.

It can be done of course but you may have to hack at the bootloader
to make it work. I only did it with Linux to prove that I could not
because it was useful.


Reply via email to