On Sat, Feb 15, 2020 at 12:22:02PM +0100, no@s...@mgedv.net wrote:
>depends what you want to achieve, but my recommendation is booting from
USB
>and mount encrypted root from the HDD.
>you can safely remove the usb key after root mount and all your
configs/etc
>files are used from the encrypted storage.
>this ensures 2 things: bootloader + kernel on USB boot media cannot be
>attacked during system uptime and all bytes on disk are encrypted.
>another advantage is, you don't need (to type, write down or remember)
any
>passphrases but can use strong random data for crypto payload/keys.
>
How do you do this on OpenBSD?
@frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk
That's telling me how to use a keydisk -- how to put the softraid FDE
encryption key material on a USB disk.
If an evil made came by and got access to my machine, they would still
be able to tamper with the bootloader code to harvest the FDE password
when I returned.
I want to put the whole bootloader (including the code used to decrypt
the softraid-FDE-encrypted root-partition-containing media) on a USB
disk.
This way the evil maid would have nothing to tamper with.
