Hello,
minusf@obiit.org (frantisek holop), 2018.03.04 (Sun) 22:59 (CET):
> macOS has this rather user friendly operating mode
> where one is able to set the volume's FileVault
> (apple's full disk encryption) password to be the same
> as their user password and the password is asked only
> once. after bootup i get a login screen, enter my
> password, and voila, i am both logged in, and can
> access the encrypted volume. this works with a boot
> volume as well.
>
> i would like to achieve something similar on OpenBSD
> but in a bit simpler setup. my softraid crypto volume
> is just a "data" mount under my home, the system and /home
> are not encrypted. this setup came to be partly
> because it's a pain in the ass to always mount the
> encrypted folder after logging in, so i left some
> common stuff unencrypted (yes, i know, keydisks...).
>
> but it would be nice to have a fully encrypted /home
> that gets mounted when i enter my user password at the
> login screen, i don't mind leaving the system unencrypted...
>
> any ideas how to achieve this? some nice post auth
> hooks? in some ways it's bit like authpf...
This doesn't achieve what you want the way you want it, but it lets me
have my $HOME on softraid(4) crypt without Full Disk Encryption (FDE).
I have a local change to ttys(5) to let me unlock my softraid(4) crypt
devices before xenodm(1) log in:
$ grep ^ttyC5 /etc/ttys
ttyC5 "/etc/ttymenu.getty" vt220 on secure
$ cat /etc/ttymenu.getty
#!/bin/sh -e
TERM=vt220 /etc/ttymenu < /dev/$1 > /dev/$1
/etc/ttymenu asks me for the password and passes it to bioctl(8).
After the softraid(4) volume is attached it's mounted via hotplug(8).
I recommend a small (1GB in my case) softraid volume for your $HOME, to
have it fsck(8)ed quickly and get access to your $HOME fast after
unclean shutdowns. Then have another, big softraid volume for your
$BIGDATA which takes longer beeing fsck(8)ed but isn't necessary for
log in.
Marcus
No comments:
Post a Comment