On Thu, Feb 13, 2020 at 01:31:43PM +0100, no@s...@mgedv.net wrote:
depends what you want to achieve, but my recommendation is booting from USB and mount encrypted root from the HDD. you can safely remove the usb key after root mount and all your configs/etc files are used from the encrypted storage. this ensures 2 things: bootloader + kernel on USB boot media cannot be attacked during system uptime and all bytes on disk are encrypted. another advantage is, you don't need (to type, write down or remember) any passphrases but can use strong random data for crypto payload/keys.
How do you do this on OpenBSD?