> >depends what you want to achieve, but my recommendation is booting from
> >and mount encrypted root from the HDD.
> >you can safely remove the usb key after root mount and all your
> >files are used from the encrypted storage.
> >this ensures 2 things: bootloader + kernel on USB boot media cannot be
> >attacked during system uptime and all bytes on disk are encrypted.
> >another advantage is, you don't need (to type, write down or remember)
> >passphrases but can use strong random data for crypto payload/keys.
> >
> How do you do this on OpenBSD?
@frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk

Reply via email to