top | item 35067101

(no title)

sarnowski | 3 years ago

I think/assume OpenBSD is mainly used as a server OS. Yes, passionate people use it as a desktop but those mostly read the FAQ anyway.

Currently and as far as I know, bioctl does only support user typed in passwords or key disks. You certainly want also encrypted disks on your server but requiring user typed in password is oftentimes a no-go (think of various firewall appliances doing a reboot and not having remote hands). A compensation can be the key disk but I don’t know how widely that is used.

Hardware bound encryption like with a TPM is not supported. Also Linux is still exploring here as far as I can tell (no installer offers that).

In sum: I think disk encryption in the current form is not a tradeoff many installations will take.

discuss

e12e|3 years ago

> Hardware bound encryption like with a TPM is not supported. Also Linux is still exploring here as far as I can tell (no installer offers that).

True, OTOH AFAIK you can add tpm unlock to a typical luks setup after installation, see my other comments:

https://news.ycombinator.com/item?id=35067375 (ed: fixed)

prmoustache|3 years ago

Wrong link I believe.

Also if secure-boot/tpm is not desired or not available systemd can now start openssh very early to allow user to type passphrase and for non systemd system one can use tinyssh-initramfs or dropbear-initramfs depending on keys requirements. Last option is dedicated kvm (which also work for openbsd).