Re: bioctl: one key for multiple disks
On Sun, Jan 07, 2024 at 12:40:18PM +0100, Stefan Kreutz wrote: > You can indeed create multiple 1M RAID disklabel partitions per device Yes, you can. And that may be the most appropriate solution in this case, and in cases where you have several machines each with one softraid crypto partition and want to store the key for each machine on one physical device. But my understanding is that the OP wants to use the same encryption key for multiple softraid crypto partitions, not just the same physical device to hold multiple keys, which is what you are describing. All of this, (and more), is _possible_ iff you understand in detail how the softraid crypto system works at a low level, and are comfortable manually hacking things to make it work. There are no tools, (in base), to do such manipulations of softraid volumes automatically. Another solution, if you have a lot of softraid crypto volumes on the same machine, (E.G. many physical disks each with one such partition), is to use a key for the main one, (possibly the boot volume), and _passphrases_ for the rest of them. Those passphrases can then be stored in files on the encrypted volume that uses the key, and automatically attached as necessary one the first volume has been attached using the key.
Re: bioctl: one key for multiple disks
You can indeed create multiple 1M RAID disklabel partitions per device (typically a USB stick), one partition per key. I've been using this setup for years. To save yourself some frustration, I suggest you backup the keydisks as described in the FAQ: https://www.openbsd.org/faq/faq14.html#softraidFDE On Sun, Jan 07, 2024 at 11:15:25AM +0300, 4 wrote: > how to use one key for multiple disks? i naively believed that since bioctl > does not have any keys for this, then a key on the specified key's partition > will be used, and if it is not there, a new one will be created, and deleting > the key it is the responsibility of the user, but in practice there is > nothing like this, the key is simply overwritten with a new one. i understand > that logic and reason are not about obsd, but maybe there is some kind of > hack to solve this problem? > "- just create a new key's partition for each disk" > "- oh, yeah! a brilliant solution. and very scalable!" > but i'm not sure that even this can be done. i'm tired of restoring the > router's state after unsuccessful experiments, i would like to use someone > else's experience. > i don’t know how the crypto partition works, i don’t know how to see what’s > on it, but maybe it’s possible to place several keys on one partition if i > can’t use one key for several disks? i don’t know.. there are dozens of > theoretical ways for how to solve the problem of storing keys >
bioctl: one key for multiple disks
how to use one key for multiple disks? i naively believed that since bioctl does not have any keys for this, then a key on the specified key's partition will be used, and if it is not there, a new one will be created, and deleting the key it is the responsibility of the user, but in practice there is nothing like this, the key is simply overwritten with a new one. i understand that logic and reason are not about obsd, but maybe there is some kind of hack to solve this problem? "- just create a new key's partition for each disk" "- oh, yeah! a brilliant solution. and very scalable!" but i'm not sure that even this can be done. i'm tired of restoring the router's state after unsuccessful experiments, i would like to use someone else's experience. i don’t know how the crypto partition works, i don’t know how to see what’s on it, but maybe it’s possible to place several keys on one partition if i can’t use one key for several disks? i don’t know.. there are dozens of theoretical ways for how to solve the problem of storing keys