>>> How do you do this on OpenBSD? >>@frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk > > That's telling me how to use a keydisk -- how to put the softraid FDE > encryption key material on a USB disk. > > If an evil made came by and got access to my machine, they would still > be able to tamper with the bootloader code to harvest the FDE password > when I returned. > > I want to put the whole bootloader (including the code used to decrypt > the softraid-FDE-encrypted root-partition-containing media) on a USB > disk. > > This way the evil maid would have nothing to tamper with.
They still would have plenty of firmware to target/infect, usually under 3 minutes with a screwdriver and dedicated hardware. If going this path, buy a safe and lock the computer while away from it. -Fabio Martins