Configuring OpenBSD softraid for encryption

3 minute read

My original idea was to post a dual how-to for both softraid and svnd, but due to the size of the posts with screenshots, I have decided against that. Since softraid is the path forward in the OpenBSD world I will start here. This post is not dial-up friendly, so be patient while it loads from my poor server. This post is part of my larger OpenBSD crypto series for which the other posts are below:


1. After booting the OpenBSD 4.8 Install CD select (S) for shell


2. Issue fdisk -iy wd0 The -i initializes a new MBR bootcode and -y avoids asking questions. Make it so fdisk!


3. Next we enter the disklabel editor with disklabel -E wd0


4. I am of the old school OpenBSD disklabeling where a=root b=swap so we will follow that. We start by creating a root partition with a a and giving it only 256M. This is because we only need a small amount of space to host the OpenBSD boot information and kernel. This will provide us the general information needed to unencrypted on boot


5. Now we create the swap


6. We must now create a place to host our encrypted partitions. You will notice that I selected RAID rather than 4.2BSD. This was unclear from the information provided online. If you try to create the softraid on a FS labeled 4.2BSD it will fail. We label this section of the drive d or wd0d


7. Now we (w)rite and (q)uit


8. bioctl is the command we use to manage RAID interfaces in OpenBSD. There are a few options we pass to it -c C which stipulates the RAID will be a CYRPTO discipline. -r 8192 is the number of iterations of the PBKDF2 algorithm to run. -l simply specifics the hosting disk label. Enter the command: bioctl -c C -r 8192 -l /dev/wd0d softraid0 Here you will enter your passphrase that will allow you to mount on boot. I recommend something very difficult to brute-force or a yubikey. Issue /install to get back into the setup process.



9. Go through the install process as you normally would, but when presented with the Available Disks…HOLD TIGHT! First we will select wd0 which if you remember is the main drive hosting our root, swap, and RAID. For wd0 we are going to use the (W)hole disk


10. The OpenBSD installer will present a default auto-layout that otherwise would be great, but since we are encrypting we are going to create a (C)ustom Layout


11. The disklabel editor will come up that looks vaguely like the one we started with earlier. We are going to label the partitions and mount points.


12. We issue m a and set the A label to mount on / – remember this is the 256M partition we created to host our boot specific information. This is what the computer will start with prior to dumping us to a rescue shell to mount our crypto RAID. Issue w q and we will move forward with the install


13. The Install process will now show that there is a single remaining drive sd0. We will initialize it


14. Now we need to configure the important parts of our crypto volume. Our first step is to create a replica of our 256M root partition. Create a 256M partition with the only different being it is mounted on /altroot


15. Now we will create the additional partitions needed. The sizing of the partitions is dependent on the environment, but for the example here the Virtual Machine had a 8GB drive. You will need at a minimum /tmp /var /usr /home After you are done with those partitions you can w q and move on16.


16. Now continue on as your otherwise would have with the OpenBSD Install. After the reboot the magic happens


17. The machine will attempt to boot and begin to toss errors everywhere. Your initial reaction might be that you did something wrong. That reaction would generally be incorrect. The toolset for fully encrypted boot drives in OpenBSD is still maturing. Click enter and put the following command in: bioctl -c C -l /dev/wd0d softraid0 && exit You will be asked for your passphrase and upon entering successfully the boot process will continue.24.png

18. You can see after the passphrase is entered the OpenBSD system recognizes the crypto RAID and moves along…Congrats! You have finished encrypting your drive. There are ways to hide certain portions by filling it with random data, but that is beyond the scope of this little how-to. Below I have also posted screenshots for a little script that will save you from typing the long-arse command on boot.