On Tue, Dec 22, 2015 at 08:35:39PM +0000, Tati Chevron wrote:
So the average person installing OpenBSD with, 'full disk encryption', is gaining virtually nothing by doing that, that they couldn't do by installing the system on an unencrypted partition and using a softraid volume for their own data storage, and maybe configuration and log files.
OK, this isn't quite true. Consider, for example, a machine which is physically insecure for some period of time, (E.G. laptop left in a hotel room). If you later gain control of it again, and you suspect that the bootloader had been compromised, as long as you make sure that you boot from a known clean boot device before unlocking the crypto volume holding the root FS, then you can be fairly confident that the contents of that filesystem hadn't been modified, (well, they may have been modified by scribbling random data over the partition, but not modified in any meaningful way). But I still maintain that putting an option in the installer to create softraid crypto volumes automatically just dumbs down OpenBSD unnecessarily, and encourages people to be lazy instead of learning how to use the system to it's full potential. -- Tati Chevron Perl and FORTRAN specialist. SWABSIT development and migration department. http://www.swabsit.com
