How to set an on-boot passphrase ?

[daemonfowl]

Hi !

Is it possible to set a boot passphrase wether the system is wd* of sd* ?


Much thanks.

[ocicat]

Quote:

Originally Posted by daemonfowl

Is it possible to set a boot passphrase wether the system is wd* of sd* ?

Explain.

[daemonfowl]

Like in Debian for instance , one can set a passphrase before they can resume booting into the system ..for both IDE/ATA or SCSI

[jggimi]

Yes.

At the BIOS level, portable workstations may have security passwords that can be set for the workstation itself. They may not be resettable if lost without a trip to the vendor; check your laptop/netbook BIOS documentation carefully.

Portable drive electronics may also have password protection, the ATA standard calls this "Security Mode" and not all drives have them. These may be set from the BIOS, or, for exampe, from atactl(8). HEED THE WARNINGS in that man page andi n your BIOS manual. There are two levels of password; user and master. Loss of both passwords will mean more than data loss, it will mean loss of the device.

(If I recall correctly, recovery without the user password requires a data security erase, which wipes the drive, and this recovery function requires the master password if one has been set.)

Simple password protection at boot can be performed by multiboot tools, such as GAG. These are easily defeatable by booting another device, or inspecting the boot blocks -- at least with GAG, the passwords are in plaintext.

-------

OpenBSD-specific solutions are also possible, such as encrypting partitions with softraid(4)/bioctl(8) that use keydisks and/or passphrases.

[ocicat]

Quote:

Originally Posted by daemonfowl

Is it possible to set a boot passphrase wether the system is wd* of sd* ?

It is also unclear from your question whether you are asking if the execution path (booting from wd(4) or sd(4)...) can be changed based on the passphrase provided.

While most BIOS'es today will allow some control over what boot device will allowed, the implementation of password protection at the BIOS level is generally not sophisticated -- either the password provided matches what is stored or it does not.

If you are wanting control over what device or operating system is booted, what you are ultimately searching for is a boot manager, but these are frequently limited to choosing which operating system is selected on the boot hard drive.

[daemonfowl]

@jggimi , @ocicat , Thank you very much !!
I'm sorry for the bad articulation & the typo .. I have several OpenBSD boxes .. some are SATA disks and some are just flash sticks .. at times I change disks (for the same laptop) .. they are not encrypted nor have passphrases .. what I was asking about :
a way to set a passphrase to use at the initial boot phase.I would hope the passphrase would still be asked for when trying to boot the respective disk using another machine (other laptop/server) ..
Then would using that passphrased disk -this time not as a boot OS but as an sd** - be mountable without having to supply a passphrase ? if yes then how would I force using a passphrase ?
(I want to prevent intruders from booting/mounting my disks .. yet +security when physical security is gone :-) )

[ocicat]

Quote:

Originally Posted by daemonfowl

...be mountable without having to supply a passphrase ? if yes then how would I force using a passphrase ?

See bioctl(8).

[daemonfowl]

bioctl needs a fresh and clean drive right ? which is not my the case.

[denta]

The information on your disks will be there regardless if you have some weird boot-password or not. So if you lose physical security, you lose everything that is on those disks.

Like already has been mentioned, you need to look into bioctl -C.

[jggimi]

Rather, bioctl -c C.

[jggimi]

On this netbook, I have /home encrypted. The fstab(8) entry has both "noauto" and 0 for fs_passno.

Code:

3f76e758fbb26404.a /home ffs rw,nodev,nosuid,softdep,noauto 1 0

My rc.local(5) script includes:

Code:

# mount /home
until bioctl -c C -l /dev/sd0g softraid0; do done
fsck -p /home
mount /home

This script segment will loop indefinitely until success, so if there is a problem with the bioctl command, not just an incorrect passphrase, the rc.local script will continue to loop. It's a personal device so that's not a big concern. I just have to boot single user to fix whatever might be wrong.

[denta]

Quote:

Originally Posted by jggimi

Rather, bioctl -c C.

oops! yes.