Re: Booting encrypted drive from another device
On 20.06.2016 13:00, bootcr...@openmailbox.org wrote: Hello! I have recently decided to use full disk encryption on my openbsd boxes. I've managed to do so and it's working, however for security reasons I want to boot them from another drive. What is that security reason worth of not using default full disk encryption? In my threat model, I consider that adversary with physical access can change bootloader on wd0 drive to store passphrases(or do anything else). After booting from USB I remove it and hold it in safe place. I don't consider adversary to be able to change BIOS code or something like that.
Re: Booting encrypted drive from another device
On 2016-06-20 14:14, Stefan Sperling wrote: On Mon, Jun 20, 2016 at 02:00:20PM +0300, bootcr...@openmailbox.org wrote: Hello! I have recently decided to use full disk encryption on my openbsd boxes. I've managed to do so and it's working, however for security reasons I want to boot them from another drive. Example: I have computer with encrypted hard-drive(wd0). To boot it, I want to insert a USB-flash drive(sd0) and to boot from it in bios. I expect it run bootloader from sd0, ask me password from my wd0 drive and then boot (wd0):/bsd. However it's not working like that. When I'm booting from let's say installation media, it's simply not asking me the password, and it seems there is no way to specificly ask bootloader to decrypt some drive. I've read man pages and googled things like boot, installboot, "cross-device install" etc but unsuccessfuly. Is it(booting CRYPT hard drive from usb) possible? If yes, what am I doing wrong? When you boot the machine, the boot loader should display a list of disks it has found. It looks something like this: disk: hd0+ hd1* sr0* In this example, the 'sr0' disk is the encrypted drive. Try booting from this disk with a command such as: boot sr0a:/bsd Thank you. I somehow did miss that.
Booting encrypted drive from another device
Hello! I have recently decided to use full disk encryption on my openbsd boxes. I've managed to do so and it's working, however for security reasons I want to boot them from another drive. Example: I have computer with encrypted hard-drive(wd0). To boot it, I want to insert a USB-flash drive(sd0) and to boot from it in bios. I expect it run bootloader from sd0, ask me password from my wd0 drive and then boot (wd0):/bsd. However it's not working like that. When I'm booting from let's say installation media, it's simply not asking me the password, and it seems there is no way to specificly ask bootloader to decrypt some drive. I've read man pages and googled things like boot, installboot, "cross-device install" etc but unsuccessfuly. Is it(booting CRYPT hard drive from usb) possible? If yes, what am I doing wrong?
