One thing to note with FDE: power the system down completely whenever the system is unattended. If someone steals it while it's powered on or suspended, the disk is completely accessible to the system without a password. There are a number of plausible attacks even if you are logged off or have a screen lock.
I don't know that fde isn't supported. I've been using it for years exactly as outlined in the FAQ. Obviously, no one can help you if you lose your password. On Mar 22, 2017 12:19 PM, "Jan Betlach" <jbetl...@gmail.com> wrote: > Solene, Ken, > > thanks a lot for quick responses. Primarily I need to protect the laptop > against losing/stealing it. Therefore FDE would be ideal, however I've red > somewhere that FDE is not officially supported on OpenBSD. > It would probably make sense to combine both - FDE and to have most > sensitive data additionally encrypted using virtual block device (as I do > not need to have these permanently mounted). > > Jan > > > On Wed, Mar 22, 2017 at 6:11 PM, Ken <catatonicpr...@gmail.com> wrote: > > > To expand on Solène's reponse. Keep in mind if you need to cover both > > scenarios for whatever your threat-model is... you can do both too. > > > > Another valuable result of FDE is that it helps ensure the integrity > > of your boot drive (presuming your encrypting your boot volume). i.e. > > prevents attacks like the sysadmin sticky-keys "attack" on windows > > boxes. So someone can't just boot and mount the partition and modify > > your shadow file to add a new root user or other backdoor. Good for > > scenarios where physical access isn't necessarily controlled by the > > 3Gs (guards, gates, guns). > > > > In my experience, setting up FDE with OpenBSD has been very easy with > > just a couple of calls to bioctl to set it up. Pretty much seamless if > > you have a quick tutorial on it. > > > > Don't lose your passphrases/keys, and have fun! > > > > On Wed, Mar 22, 2017 at 9:38 AM, Solène Rapenne <sol...@perso.pw> wrote: > > > Le 2017-03-22 17:28, Jan Betlach a écrit : > > >> > > >> Hi misc, > > >> > > >> planning to install -current on my Thinkpad T450s (SSD). > > >> > > >> I need to have several data directories encrypted, however would not > > mind > > >> whole-disk encryption. Which method would be more supported / > > recommended? > > >> Whole-disk encryption or creating a container file, loop device and > then > > >> virtual device with the encryption layer on it? > > >> > > >> Thanks in advance > > >> > > >> Jan > > > > > > > > > Hello Jan, > > > > > > That would depend on your need, do you want to protect against someone > > > who would steal your computer, or against some malicious software > > > running under your system to read your data ? > > > > > > In the first case, you should go with FDE (full disk encryption), your > > > data would be available only after you type the password at boot. > > > > > > In the second case, you should use some kind of encrypted volume that > > > would be available only when you need to. I think that's possible to > > > create an encrypted ffs volume contained into a file, that you can > > > mount when you need. > > > > > > Regards
