On Wed, Feb 10, 2021 at 01:00:33PM +0000, Frank Beuth wrote: > On Tue, Feb 02, 2021 at 10:50:39PM +0100, Stefan Sperling wrote: > > The idea of protecting key disks with a passphrase (two-factor auth) has > > been raised before. It has not been implemented yet, simply because nobody > > has done the work. A search of the mailing list archives should yield > > some prior discussion. > > How about backup keys, so I can have a backup passphrase stored somewhere > safely that works even if I lose my keydisk?
Well, even if two-factor auth were already available, if you lose the key disk then you should also lose access to the encrypted data. Otherwise it's not two-factor auth. A scheme where either a passphrase or a key disk could be used to unlock the volume would be redundant and even dangerously confusing for users who expect actual two-factor auth. The current way to back up a keydisk is by saving an image with dd and storing this somewhere securely. This image can be very small since only the key disk's RAID disklabel slice needs to be copied, not the entire physical key disk. See the FAQ entry "Using a Keydisk" here: https://www.openbsd.org/faq/faq14.html#softraid
