|
OpenBSD Installation and Upgrading Installing and upgrading OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
Partioning, layout and encryption (w passfile)
I'm sitting here planning my install, at least the partitioning layout. And I'm trying to get my head around a few things.
The plan is to use 2 disks. I have 2x 120GB available. First thought was to put them in a RAID and then CRYPT that one. I've seen a couple of examples/guides doing that, but the official documentation says it's not supported »»». I'll go with the FAQ. So, 2 disks, both encrypted: 1 with the system (2 partitions: 1 small + 1 w all partitions) - the other one just mounted on it (2 partitions: /altroot + 1 big), and I can make a script to rsync my backups instead. I guess disk#2 can be decrypted and mounted an rc-file using the: -p passfile .Something like: HTML Code:
# disk#1 a: / # 123m (just to match disk#2) d: / # 123m /the/other /partitions # disk#2 a: /altroot # 123m d: / # mounted on disk#1 // 123m is just for the example - - - The other thing is, the passfile. I've really tried to search/find guides and examples around, but only found 2. To unlock disk#2, I can put the passfile in: /root/foo/disk2.pfile. But how to unlock disk#1… Can I use the passfile option for that one as well? Is the system able to read a passfile on boot inside the crypted partition (ie probing function), or does it need to sit on an uncrypted partition? Or how can I get disk#1 to unlock on boot, without typing or keydisk? The idea is to use the server either as a mailserver @home, or as a backup server @neighbour (or another location). A keydisk doesn't feels like an option. I want to have a solution that can handle both disks, but neither the FAQ or the bioctl(8) are using that in any examples. What's the preferred way to manage/reboot a server remotely (ssh)? Any ideas? - - - > “It's currently only possible to boot from RAID1 and crypto volumes on i386, amd64 and sparc64.” — faq14.html#softraid Perhaps I can't use FDE using my old Mac G4 (macppc)? Then, what's the minimum I need unencrypted? Sorry if I've mixed up or missed anything. Please correct me if so.
__________________
[frice@...] ~$ |
|
|||
What's the point of disk encryption, if all the keys for decryption are stored on the disk unencrypted? Sounds like a waste of time.
|
|
|||||
Thanks for your replies…
Quote:
Quote:
Quote:
Quote:
But then, that thing about what systems/platforms that can('t) unlock. If macppc can't do it - a semi-encrypted system would be able to reboot normally? and I can unlock the rest manually from my ssh connection? And there are no other remote solutions? Like GNU/Linux are using dropbear, tinyssh etc. (Here's a Debian example.) Best thing would be if there were like a “cryptreboot”, who asked for the password before reboot instead of when booting.
__________________
[frice@...] ~$ |
|
|||
Quote:
I can think about a few use cases where it can by useful if somebody stores it on Pendrive. 1. Somebody steals your laptop. You don't want to disclose your secrets to this person. The thief probably would not bother to steal Pendrive, so your data is safe from disclosure. 2. You are crossing the border. Border agent wants your password to the encrypted partition. You don't want to disclose information. If your secret is a passphrase, you can give it to them, but you won't. If your secret is on Pendrive stored somewhere else (i.e. your lawyer has it), you can't give it to the border agent. You have a higher probability of success to make through border when you can't provide this secret compared to when you can but just don't want to.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase Last edited by e1-531g; 19th March 2017 at 07:46 PM. Reason: I didn't understand that keys would be on the same disc, so I edited answer. |
|
|||
Quote:
Quote:
“… all its cells will be marked as empty …” »» Some Rescuedisks have that feature bundled. Also saw this guide to about over-provisioning. But a reset should do it just to null the blocks/cells.
__________________
[frice@...] ~$ |
|
||||
When looking at encryption for protecting privacy, consider two types of data:
Last edited by jggimi; 19th March 2017 at 10:44 PM. Reason: typo |
|
|||
Quote:
http://spritesmods.com/?art=hddhack&page=7 Zeroing out (or doing "factory reset") should be enough if data is not so sensitive, but if you want to be sure just do this: Backblaze: How to securely recycle or dispose of your SSD
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase Last edited by e1-531g; 20th March 2017 at 10:47 AM. Reason: added note and link about hdd |
|
|||
Quote:
https://phantomno.de/cryptreboot It asks for a passphrase and reboots the system afterward, automatically unlocking the drive on startup using in-memory initramfs patching and kexec. Without explicit consent, no secrets are stored on disk, even temporarily. Cryptreboot currently supports Debian-based Linux distributions, but if OpenBSD implements a mechanism similar to kexec, then I believe it could be ported. A side note: I found this post while searching for "cryptreboot" on Google, sometime after releasing the tool. I think it's awesome that you envisioned both the behavior and name of this tool over 6 years ago! |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
alpine with .pine-passfile support | slowtechstef | OpenBSD Packages and Ports | 3 | 26th February 2016 10:30 PM |
Partitions layout: Who is right? | punk0x29a | FreeBSD General | 6 | 27th May 2013 06:45 PM |
Security: Encryption: Disk Encryption | eurovive | Other BSD and UNIX/UNIX-like | 17 | 6th March 2010 04:09 AM |
Recommended Partition Layout | MetalHead | OpenBSD Installation and Upgrading | 12 | 30th November 2008 10:08 AM |
Keyboard Layout | mfaridi | FreeBSD General | 6 | 26th June 2008 07:13 PM |