I want to use full disk encryption on all of the disks of a host (two hosts). They can have the same password. How should I do this?
1. A method that I know will work is to make separate CRYPTO discipline softraid devices for each disk, install on one of them; and configure and mount the other disk encryption by calling bioctl rc.local. I would either type the password twice or use a keydisk stored on the first softraid device.
2. I could make a RAID 0 or CONCAT discipline device to combine the two devices and then make a CRYPTO discipline device on top of that, but my reading of the manual pages suggests that I can't install boot(8) on this.
3. Perhaps I could do the option 2 and add a new disk (SD card) that I use just for installing boot(8). (If I'm doing that, I might use the same SD card for both boot and keydisk.)
Are there other approaches I should consider?
And, if I want to put boot on a separate disk, which question in the installer do I specify that in?
No comments:
Post a Comment