Hello, min...@obiit.org (frantisek holop), 2018.03.04 (Sun) 22:59 (CET): > macOS has this rather user friendly operating mode > where one is able to set the volume's FileVault > (apple's full disk encryption) password to be the same > as their user password and the password is asked only > once. after bootup i get a login screen, enter my > password, and voila, i am both logged in, and can > access the encrypted volume. this works with a boot > volume as well. > > i would like to achieve something similar on OpenBSD > but in a bit simpler setup. my softraid crypto volume > is just a "data" mount under my home, the system and /home > are not encrypted. this setup came to be partly > because it's a pain in the ass to always mount the > encrypted folder after logging in, so i left some > common stuff unencrypted (yes, i know, keydisks...). > > but it would be nice to have a fully encrypted /home > that gets mounted when i enter my user password at the > login screen, i don't mind leaving the system unencrypted... > > any ideas how to achieve this? some nice post auth > hooks? in some ways it's bit like authpf...
This doesn't achieve what you want the way you want it, but it lets me have my $HOME on softraid(4) crypt without Full Disk Encryption (FDE). I have a local change to ttys(5) to let me unlock my softraid(4) crypt devices before xenodm(1) log in: $ grep ^ttyC5 /etc/ttys ttyC5 "/etc/ttymenu.getty" vt220 on secure $ cat /etc/ttymenu.getty #!/bin/sh -e TERM=vt220 /etc/ttymenu < /dev/$1 > /dev/$1 /etc/ttymenu asks me for the password and passes it to bioctl(8). After the softraid(4) volume is attached it's mounted via hotplug(8). I recommend a small (1GB in my case) softraid volume for your $HOME, to have it fsck(8)ed quickly and get access to your $HOME fast after unclean shutdowns. Then have another, big softraid volume for your $BIGDATA which takes longer beeing fsck(8)ed but isn't necessary for log in. Marcus
