I'm just trying to encrypt my laptops /home partition to hide my 
personal info if the worst happens and my lappy is stolen.

I'm wondering what would be the best method to encrypt the hard drive? I 
saw some discussion on the mailing list recently and somebody pointed 
out that I could encrypt whole partition.

I'm currently creating a image within a partition which I intend to 
encrypt then as instructed for example here: 
http://www.blackant.net/other/docs/howto-encrypted-home.php

Which would be a better method, the separate image or encrypt whole 
partition and how to encrypt whole partition on OpenBSD?

Timo

in -current its possible to encrypt partitions through the use of
svnds with vnconfig:

(example)

# vnconfig -c -k svnd0 /dev/wd0g

create disklabel on svnd0, newfs and mount it. done.


felix
-- 
GPG/PGP:   D9AC74D0 / 076E 1E87 3E05 1C7F B1A0  8A48 0D31 9BD3 D9AC 74D0
http://hazardous.org/~fkr - fkr@hazardous.org - fkr@silc|irc  - FKR-RIPE
https://www.bytemine.net/ - bytemine - BSD based Hosting/Solutions/Ideas

*The* way to make encrypted disks on OpenBSD is through vnconfig -k.
Go read up on that and come back.
Then here's what you can do (it's dead simple):
# vnconfig -k <key> svnd0 /path/to/image
# mount /dev/svnd0 /home

 #note: the image file should be available somewhere that isn't /home,
obviously... you may be able to have a /home with it on there and then
mount over that and it might keep working but it's just asking for
trouble to do it that way


are you sure you want to encrypt your *whole* drive though? Is your
data really that secret? For most people there are only a few /really
secret/ things, and you can just make a small secure partition and
place them in there. Encryption does take a performance hit.

-Nick

Why is that important? AKA "it's my laptop, and I will explicitly
choose to disclose it's contents." (says the guy who left his laptop

except for when you forget to encrypt something, or when a process
unexpectedly leaves plaintext laying about (editor temp files, core
dumps, i-meant-to-download-that-someplace-else, ...), or when you
forget your laptop in an airport or a taxi or leave the door to your

Worthy trade-off.

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

Good points. I was just playing devil's advocate.

using the -K switch for vnconfig is good if you're worried about offline 

the performance hit is pretty unnoticeable unless you're doing lots of 
reads and writes, e.g. a fileserver. on a decently fast machine you can 
get 20-30 MBps read and write speed on an encrypted image which is

I have read the mount_vnd manual page and it describes the mount options 
of the image that are needed to succesfully mount the partition on boot 
but didn't reveal if there's a method to encrypt whole partition. I know 
it will give me small performance hit to encrypt whole partition but it 
should be OK. I had all of my HD except the /boot partition encrypted 
with Linux and I didn't notice any difference in casual use.

Currently waiting for the urandom to fill the image...

Timo

Hm? I don't understand what you don't understand.
There's no such thing as a half-encrypted svnd (=partition). If you
can mount an encrypted svnd then you have a totally encrypted drive.
If you put it in fstab even better, but you need to somehow get it to
ask you for a password (-k) or give it a saltfile (-K) from somewhere
when it does that (and you better not store that password on the same
laptop).

-Nick

I mean that can I encrypt my /dev/sd0g directly instead of creating 
image in it and encrypting and mounting that image as /home.
I tried to read about the svnd and it only seems to work on files.

Timo

Yes, exactly ;)
This is Unix, where everything is a file (or tries to be):
vnconfig /dev/sd0g svnd0

On a tangential note, it's useful to understand what you can do with
ccd(4) if you are creative about it.

-Nick

I tested above and following:
mount_vnd -K 20000 -S /root/image.slt svnd0 /dev/sd0g

both prompted for encryption key but then give following message:
vnconfig: VNDIOCSET: Inappropriate ioctl for device

Timo

Oh, I guess I was wrong then. Argh.
Yeah, use Chris's idea.