View Single Post
  #6   (View Single Post)  
Old 28th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
how can I (without blindly following tutorials and using BSD-based tools that I have no idea how it works/where to start) - put the OpenBSD install on a usb, encrypt the filesystem and make it bootable?(so systems like M$ windoze can't automatically mount it and @#$! the partition & make unbootable (yes, every time I plug a bootable usb into a running windows machine, it somehow automagically kills it) (especially windows 7, I just hate how it automatically assumes the usb is not bootable and searches the entire drive for things like *.mp3)...
  1. Encryption does not equal protection. Encryption makes the information at rest on the storage device unreadable without decryption. That is all. It does not disable a "write" instruction. Any device can be written on unless it has a physical way to be made read-only.
  2. I understand Windows will scribble on devices if those devices have Windows-usable partitions. The obvious solution: don't keep NTFS or FAT partitions on your USB device. Problem solved.
A USB attached mass storage device, on OpenBSD, attaches to the kernel as if it were a standard SCSI device. So .... If the platform can boot from the USB device, then a standard installation can be performed and the device treated as any other disk drive. It need not be "live media" at all. This is my recommendation for "USB Stick" installations. Live media, a read-only environment, is a completely needless complication.

As stated above, the entire drive cannot be encrypted. The kernel must come from an unencrypted partition, and the root partition must also be unencrypted. But structures that might contain "user data" of interest that are desired to remain private (such as /home and /var/tmp) can be mounted on encrypted partitions with two different built-in methods: softraid with the crypto discipline, or vnode encryption.

To repeat: encryption can provide only data privacy, not data protection.
Reply With Quote