Brad Tilley wrote:
I wrote some notes on how I normally encrypt /home on OpenBSD laptops.
I was hoping misc could read it and bash it around some. I'd like to
know if I'm doing something wrong. No jokes about Beck's ass please :)
http://16systems.com/openbsd_laptop_encryption.txt
Thanks,
Brad
don't bother encrypting just /home, do everything except the root partition.
you can do this using softraid crypto as follows:
- dump your existing partitions to another disk connected to the machine
e.g. a usb drive
- wipe the original disk
- do a fresh install from a recent i386 or amd64 snapshot and break to
shell instead of following the usual install option
- follow the content of the softraid manpage to setup an encrypted disk,
using fdisk and disklabel to prepare the disk yourself i.e. (assumes
base disk name is sd0) fdisk -iy sd0, disklabel -E sd0, make a smallish
100-150 MB 4.4BSD partition for root and the rest of the disk set as a
single partition of type RAID e.g. /dev/sd0a is root and /dev/sd0b is
softraid, write disklabel, bioctl -c C -r 32768 -l /dev/sd0b softraid0,
enter passphrase, and now you've got a second disk according to bsd.rd,
sd1. not sure if you need to partition sd1 in the shell or in the
installation script, you can figure it out
- before rebooting make sure that your /etc/fstab lists the crypto
partitions (everything except root) as being on sd1
- when you reboot, the boot process will 'fail' and dump you to shell
since sd1 is not unlocked as part of the boot process
- at a shell do the following to get your disk rollin: bioctl -c C -l
/dev/sd0b softraid0, enter passphrase, issue 'fsck -fp && exit' if you
had a dirty shutdown otherwise just type exit
- normal boot resumes and you've got your machine running with
everything but root encrypted
do note that i used tedu's suggestion of increasing the round count when
making the crypto partition above. the steps listed above are almost
complete but should be ***tested on a spare disk before doing this with
a production system***.
cheers,
jake
