Re: /altroot with multiple encrypted disks

Thanks Ruben,

I wasn't aware of installboot until now.
I think I'm screwed and didn't think this through properly.

I could make the second disk bootable, but the unlock for it is a
passfile residing on the encrypted first disk, and the unlock for
the original boot disk is a keyboard-entered passphrase.
Looking at the man pages it seems only one unlocking method can be
installed on one device, and there's no way to replace a password
unlock to a passfile one or vice versa.

Conclusion - booting from multiple softraid encrypted drives will
never be possible. That's ok. I may have a play around with an
unencrypted machine just for interest's sake.




----- Original message -----
From: "Rubén Llorente" <porting@use.startmail.com>
To: misc@openbsd.org
Cc: doofus@fastmail.net
Subject: Re: /altroot with multiple encrypted disks
Date: Thursday, 31 October 2024 7:07 PM

Phil wrote:

> I guess an an appropriate boot block needs to be installed on the second
> disk (I don't know how to do that either). Also I would guess /altroot
> would need to be temporarily mounted after each backup to swap the
> parameters in the "/" and "/altroot" lines. I'm not knowlegeable enough
> to think of anything else.
>
> I might be talking c**p here and this uber-redundancy scenario isn't the
> intended way for /altroot to be used. Otherwise I'd be very interested
> and grateful to read any ideas anyone has on the subject.
>
> Phil
>

I think if you need that sort of redundancy you just use a mirror RAID.
Boot encrypted mirror RAID is supported (man boot(() and man bioctl(8)).

I suspect you could use installboot(8) on the disk holding your /altroot
to make it bootable, but I have never tested such a thing.