On Sat, Jun 15, 2024 at 09:01:51AM +0000, lafermedesanim...@posteo.net wrote: > I have a dual boot Devuan/OpenBSD, I wrote random data on my > drive and then install the OSes, both are encrypted. > Now, I want to remove this dual boot to have only OpenBSD > and use it as a daily driver. > My plan for this is to boot a GNU/Linux live usb, erase LUKS keys > with cryptsetup command, use the wipefs command to erase LUKS > header and reinstall OpenBSD with full disk encryption. > Is it secure enough ? Do I need to do something with OpenBSD > encrypted data as I have to with the LUKS keys/header on GNU/Linux ?
If I understand your question correctly, you trying to ensure that the encryption key for your existing OpenBSD installation is specifically destroyed before re-using the disk, to protect against the possibility that somebody with access to the disk could use that key to decrypt the softraid crypto partition before the encrypted data has been overwritten simply due to regular usage of the disk after re-installation. There is no specific tool in the OpenBSD base system to do this. However the key material for an OpenBSD softraid cypto partition is stored along with the other softraid metadata at the beginning of the partition, so it can quickly and easily be overwritten using dd to write random data to the first megabyte or so.
