On Tue, Feb 02, 2021 at 07:04:38AM +0000, tetrahe...@danwin1210.me wrote: > Looking thru the manpages, I don't see any provision for adding AND / OR > logic to keys (e.g require both passphrase AND keydisk to boot, require > passphrase OR keydisk, etc) the way Linux cryptsetup provides, at least, > OR-logic across multiple keyslots. > > (Having multiple keyslots on an encrypted volume has saved me a few times!) > > Is there anything like this in OpenBSD?
It is possible to add multiple key disk slices (type RAID) to the same disklabel. This way, a single USB stick could unlock multiple volumes. The idea of protecting key disks with a passphrase (two-factor auth) has been raised before. It has not been implemented yet, simply because nobody has done the work. A search of the mailing list archives should yield some prior discussion. I would also make use of this feature if it was available. I'd be happy to review and test relevant patches.