On Tue, Feb 02, 2021 at 07:04:38AM +0000, tetrahe...@danwin1210.me wrote:
> Looking thru the manpages, I don't see any provision for adding AND / OR
> logic to keys (e.g require both passphrase AND keydisk to boot, require
> passphrase OR keydisk, etc) the way Linux cryptsetup provides, at least,
> OR-logic across multiple keyslots.
> 
> (Having multiple keyslots on an encrypted volume has saved me a few times!)
>
> Is there anything like this in OpenBSD?

It is possible to add multiple key disk slices (type RAID) to the same
disklabel.  This way, a single USB stick could unlock multiple volumes.

The idea of protecting key disks with a passphrase (two-factor auth) has
been raised before. It has not been implemented yet, simply because nobody
has done the work. A search of the mailing list archives should yield
some prior discussion.
I would also make use of this feature if it was available. I'd be happy to
review and test relevant patches.

Reply via email to