On Wed, Mar 05, 2014 at 17:48, Giancarlo Razzolini wrote: > Thank you for your reply. I am tending for the generic solution for > unlocking it via network. Not using console nor any hardware assist. On > linux, using initramfs + busybox + dropbear + some other hacks, it works > quite well and secure, since you unlock it through ssh.
That sounds like something less than full disk encryption. I'd just do what you had to do before boot supported encryption. Put /home or wherever your data is in softraid, mark it 0 0 in fstab, and then after you boot, login and bioctl/mount it manually. I think FDE is useful on a notebook/desktop where you may reboot somewhat frequently, but always have console access. It's easier and it spares me from typing my password half way through the boot sequence. On a server, this is only making things harder for no additional security. You don't know when initramfs sshd actually starts, so you're going to what, ping it until you get an answer? Protect the things that are important, leave the rest alone. The only advice would be to start fewer daemons in rc. Just start sshd. Then start mail or web server or whatever later, assuming you want their data encrypted. This is a five line shell script that means you're still running OpenBSD, not bizarro almost but not really OpenBSD.
