I would like to secure a system

[kungfujesus]

I'm running an application which uses a python app to access a SQL database on a server. I would like this computer running the app to use OpenBSD and would love to have the root file system encrypted, since physical access to it won't be all that difficult for many people. Does anybody here know a way to do this? I can't for the life of me find out how. I've found guides on encrypting individual file systems, but never the entire root. Linux allows for something like this so easily, I find it hard to believe BSD wouldn't.

[jggimi]

This is not possible without modifying the kernel source code. And even then, it is only a theoretical possibility. This is because the root filesystem is pre-mounted as "root_device" by the kernel, prior to starting init(8).

You can, however, make the root filesystem physically read-only. Many users have done this over the years. For read-only IDE/ATA or SCSI attached devices, only /etc/rc need be modified. For an optical root device, the kernel will need a custom configuration, too.

[kungfujesus]

I guess my main concern is, will this stop somebody from popping in a livecd environment with an OpenBSD disk, mounting the root file system, chrooting, and running passwd?

[jggimi]

Physical access is physical access. There is nothing to stop someone with it from doing whatever they want. e.g.: copying your read-only data somewhere else and modifying it. In that case, the only way to prevent access to encrypted data is to NOT leave the keys in unencrypted media.

The purpose of making a filesystem read-only is to prevent changes to it in the event someone is able to acquire superuser power remotely. This can be as simple as using a read only device, or setting the schg flag on all files in the filesystem.

If you don't trust those with physical access, either place your hardware in a trusted environment, or don't use OpenBSD.

[BSDfan666]

Software security cannot possibly protect you from physical security risks.. if this system is in an area that's not safe, relocate it to a safer area.

There are a few things you can do:

• Set a BIOS password.. most support that.
• Set the boot priority to boot from the hard drive only.
• Remove any bsd.rd off the root partition...
• Remove the 'secure' setting from ttyC* devices in /etc/ttys.

None of this will prevent someone from stealing the physical hard drive and mounting it in another system, physical security is *your* responsibility.

An encrypted root file system sounds nice, but it's simply unfeasible.. the 3rd level boot program, i.e: /boot is on the root partition.. the loader before that is primitive, it has the blocks hard coded into it, and due to architectural constraints.. i.e: a 512 byte PBR, a suitable decryption routine would be insanely hard to write.

Sorry.