Physical access is physical access. There is nothing to stop someone with it from doing whatever they want. e.g.: copying your read-only data somewhere else and modifying it. In that case, the only way to prevent access to encrypted data is to NOT leave the keys in unencrypted media.
The purpose of making a filesystem read-only is to prevent changes to it in the event someone is able to acquire superuser power remotely. This can be as simple as using a read only device, or setting the schg flag on all files in the filesystem.
If you don't trust those with physical access, either place your hardware in a trusted environment, or don't use OpenBSD.
|