OpenBSD Disk Encryption Options – softraid and svnd

It is unfortunate, but the OpenBSD disk encryption tool-sets are no where near as mature as those found in FreeBSD or Linux. You would think with such a security focused operating system that disk encryption would be a no brainer. You would be wrong. On OpenBSD -misc mailing list you often get this impression with them:

XKCD - Security<figcaption class="wp-caption-text">XKCD - Security</figcaption></figure>

I find this response disingenuous and incredibly annoying, but it is OpenBSD and you accept those warts. So in attempt to find a somewhat middle ground I wanted to review the two different options and provide howto for deploying them on your systems. My focus is the mobile environment such as a laptop that is on the move and in the public. These same instructions would work for setting up an encrypted NAS or similar too.

A small note on encrypted swap. Often I will see howto that specify: vm.swapencrypt.enable=1 There is no reason to do this. Since OpenBSD 3.8 it has been the default setup so unless you plan on disabling the option no need to call it out separately. Alrighty moving along.

There are two different options for encryption in OpenBSD:

  1. softraid – this is where OpenBSD is going. Many folks say this method is slower than #2 below, but the userland toolset is actively being developed and you can bank on this being the future. In my opinion you might as well learn this and use it. When Theo deprecates something, he does so quickly.
  2. vnconfig with svnd – encryption with this technique has been included with OpenBSD since 4.2 circa 2007. It works and appears to be much faster than softraid currently, though that is purely perception and I have not benchmarked. I don’t believe this capability will disappear fully (vnconfig is the pseudo device tools) yet the encryption portions will most likely be updated all that often

Between the two options the main differences from the user perspective would be:

  • softraid uses AES256 while svnd uses Blowfish
  • softraid encrypted volumes cannot be mounted automatically on boot
  • softraid treats your encrypted mounts like RAID volumes whereas svnd is equivalent to TrueCrypt volumes

In later posts I will walk through setting up both options for your laptop security usage. I wanted to give an overview of the options and background before dived in. Each option has their benefits and you the user should pick what fits your setup best.