Hello, I successfully (I think) installed a new OpenBSD system today with full disk encryption and keydrive unlocking. Unfortunately, I had to piece together the steps from several sources because I don't think the entry at https://www.openbsd.org/faq/faq14.html#softraidFDE is quite explicit enough.
This is what I did: - entered the shell at some point before selecting the keydrive - found the right device name through searching dmesg (it was sd2) - cd /dev; sh MAKEDEV sd2 (it took me a while to figure out why the device node wasn't there to begin with) - fdisk -g sd2 - disklabel -E sd2 -> a a; offset: <default>; size: 1m; FS type: RAID; w; q After this, the automatic setup of the keydrive in the installer worked, but I'm still not 100% convinced I did it "right." Now that I know the process, I can mostly reverse engineer the meaning of the pieces in the FAQ: - "use disklabel(8) to create a 1 MB RAID partition for the key data" -> FS type in disklabel is RAID (but the built-in help in disklabel only offers "4.2BSD" and "swap" as examples) - "initialize the keydisk with fdisk(8)" -> fair enough, but an exact command would've saved some time Next, I thought it would be good to back up my key material, and thankfully there is an example command to do so. However, the restoration worries me a bit. The example restoration command appears to have an already-configured device ready, which wouldn't be the case if I would be starting from a fresh keydrive after something dramatic happened to my previous one. I imagine the restore process would look a bit like this: - fdisk -g sd2 - disklabel -E sd2 -> a a; ...; size: 1m; FS type: RAID; ... - ??? do I need to do some initialization with bioctl(8)? - finally, restore with the given dd command to the newly prepared partition Is this correct? What exactly would be the proper command for the third step? (I know I could trial-and-error test this with another USB drive right now, but it's late and I figured I would include the question in my mail instead of waiting another day to send this.) I would love to hear the correct answers to my questions here, and would love even more if the FAQ could be expanded to make my pain points clearer. Assuming I have the proper process, I would be happy to contribute to expanding the FAQ (it would be my first contribution to OpenBSD, so I would also appreciate any guidance on that front). Thanks, Scott
