>>> How do you do this on OpenBSD?
>>@frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk
> That's telling me how to use a keydisk -- how to put the softraid FDE
> encryption key material on a USB disk.
> If an evil made came by and got access to my machine, they would still
> be able to tamper with the bootloader code to harvest the FDE password
> when I returned.
> I want to put the whole bootloader (including the code used to decrypt
> the softraid-FDE-encrypted root-partition-containing media) on a USB
> disk.
> This way the evil maid would have nothing to tamper with.

They still would have plenty of firmware to target/infect, usually under 3
minutes with a screwdriver and dedicated hardware. If going this path, buy
a safe and lock the computer while away from it.

-Fabio Martins

Reply via email to