On 14/02/2026 13:19, Crystal Kolipe wrote: > On Sat, Feb 14, 2026 at 12:56:41PM +0100, Peter G. wrote: >> There. Solved. No chop. No half measures. Nothing exposed. > > So without knowing the OP's actual requirements, you're suggesting two > one-size-fits-all solutions that are likely far beyond their expected budget.
Yes. Because that objectively is the best solution for any scenario. > Although you may have found a solution from a technical point of view, the > OpenBSD approach tends to be more aligned with encouraging people to > understand the systems they are implementing, and implement appropriately. What? Let's not try to hide hurt feelings behind politics, maybe. There's also nothing to "implement" here. A proper FDE always requires external access. Always. There's no way around it. OpenBSD here remains transparent simply providing it. It already does it job well. > If the OP would otherwise be happy with an initramfs dropbear install on a > linux system, what you propose would be something of a sledgehammer to crack a > nut. One of you already very well explained dropbear or similar chop is an insecure half-measure, explaining the MITM possibly. Do you want a secure solution or do you want to talk yourself into cozy denial you're doing fine? > Besides, your solution also introduces new attack surfaces that were not there > before. Yes. There is one I can immediately think of, right now. 1) IPMI access on a dedicated can be logged, i.e. you don't know what happens at the other hand. But if dedicated and running off physical disks, after logging on via ssh proper after the boot you should change the main disk passkey, i.e. maybe 15 seconds after exposing it. Can't be helped. 2) No problems I can think of running collocated. Happy to read your thoughts. Love, PG
