Re: add keydisk to FDE FAQ

Fri, 13 Oct 2017 10:23:51 -0700 

Thanks, but I'm sorry, I don't think this is the way to go: it is far
too long and repeats too many things verbatim from the password-based
FDE section.



If we are going to include a keydisk-based softraid section in the FAQ,
it should be very short and essentially only explain the few steps that
are different from the password-based case: how do I set up a keydisk
and perhaps show the bioctl command with its output.



Thanks for the feedback. I had a feeling you might say that. Here's a 
shorter version:


diff --git faq14.html faq14.html
index 545083781..03a42e9d4 100644
--- faq14.html
+++ faq14.html
@@ -749,6 +749,30 @@ Which disk is the root disk? ('?' for details) [sd0] 
<b>sd1</b>
You will be prompted for the passphrase on startup, but all other operations
should be handled transparently.

+<h4 id="softraidFDEkeydisk">Using a Keydisk</h4>
+
+As an alternative to using a passphrase, its possible to use a key stored on a
+separate disk (i.e. a USB stick) to unlock your encrypted disk. To create a
+"keydisk" first use fdisk on your keydisk device to make room for the boot
+blocks, then create a small (i.e. 1 MB) RAID partition for the key data.
+
+When its time to encrypt your hard drive in the above example, use the -k
+option to specify where to put the key data. If your keydisk is <tt>sd1</tt>
+and the drive you want to encrypt is <tt>sd0</tt>, the output will look
+something like this:
+
+<blockquote><pre>
+# <b>bioctl -c C -k sd1a -l sd0a softraid0</b>
+sd2 at scsibus3 targ 1 lun 0: &lt;OPENBSD, SR CRYPTO, 005&gt; SCSI2 0/direct 
fixed
+sd2: 19445MB, 512 bytes/sector, 39824607 sectors
+softraid0: CRYPTO volume attached as sd2
+</pre></blockquote>
+
+You won't be prompted to enter a passphrase because you used a keydisk instead.
+Make sure your keydisk is plugged in at startup, or you'll see error messages
+and be unable to boot. If you lose your keydisk or it gets corrupted, you will
+lose access to your encrypted disk.
+
<h3 id="softraidCrypto">Encrypting external disks</h3>

This section explains how you might set up a cryptographic softraid volume























					Reply via email to