Solene, Ken, thanks a lot for quick responses. Primarily I need to protect the laptop against losing/stealing it. Therefore FDE would be ideal, however I've red somewhere that FDE is not officially supported on OpenBSD. It would probably make sense to combine both - FDE and to have most sensitive data additionally encrypted using virtual block device (as I do not need to have these permanently mounted).
Jan On Wed, Mar 22, 2017 at 6:11 PM, Ken <catatonicpr...@gmail.com> wrote: > To expand on Solène's reponse. Keep in mind if you need to cover both > scenarios for whatever your threat-model is... you can do both too. > > Another valuable result of FDE is that it helps ensure the integrity > of your boot drive (presuming your encrypting your boot volume). i.e. > prevents attacks like the sysadmin sticky-keys "attack" on windows > boxes. So someone can't just boot and mount the partition and modify > your shadow file to add a new root user or other backdoor. Good for > scenarios where physical access isn't necessarily controlled by the > 3Gs (guards, gates, guns). > > In my experience, setting up FDE with OpenBSD has been very easy with > just a couple of calls to bioctl to set it up. Pretty much seamless if > you have a quick tutorial on it. > > Don't lose your passphrases/keys, and have fun! > > On Wed, Mar 22, 2017 at 9:38 AM, Solène Rapenne <sol...@perso.pw> wrote: > > Le 2017-03-22 17:28, Jan Betlach a écrit : > >> > >> Hi misc, > >> > >> planning to install -current on my Thinkpad T450s (SSD). > >> > >> I need to have several data directories encrypted, however would not > mind > >> whole-disk encryption. Which method would be more supported / > recommended? > >> Whole-disk encryption or creating a container file, loop device and then > >> virtual device with the encryption layer on it? > >> > >> Thanks in advance > >> > >> Jan > > > > > > Hello Jan, > > > > That would depend on your need, do you want to protect against someone > > who would steal your computer, or against some malicious software > > running under your system to read your data ? > > > > In the first case, you should go with FDE (full disk encryption), your > > data would be available only after you type the password at boot. > > > > In the second case, you should use some kind of encrypted volume that > > would be available only when you need to. I think that's possible to > > create an encrypted ffs volume contained into a file, that you can > > mount when you need. > > > > Regards