OpenBSD 5.7 full encrypted hdd

You will find plenty of OpenBSD install guides out there.

I like to have a full encrypted hdd (FDE – full disk encryption) on my laptop. I think OpenBSD encrypt swap by default since 10 years! So it’s no need to encrypt swap twice. Just for keep in mind later.

Boot your system e.g. amd64 from CD or flash drive.

Press [ I ] to take the first install step. Choose your keyboard layout. In my case ‚de‘.

Now leave the install routine by typing: !. You have your shell and you can set up your hdd or ssd.

In case of me, my ssd is sd0:

fdisk -iy sd0

-i initialize
-y yes blah blah blah

Edit the disklabel:

disklabel -E sd0

Create a swap partition first. (add b)

> a b
offset: [64]
size [10474316] 1g
Rounding size to cylinder (16065 sectors): 2104451
FS type: [swap]:

To add an a partion enter just:

> a a
offset: [2104515]<enter>
size: [8369865]<enter>
FS type: [4.2BSD] RAID

To save your disk layout press:

> w
and to quit disklabel:
> q

Now comes encryption magic just for partition a:

bioctl -c C -l /dev/sd0a softraid0

You will be ask for your passphrase. Use a phrase, it’s quite easier to remember, and you should remember your pass phrase. „Thank you Edward Snowden <3.“ or „Fuck you god damn NSA and GCHQ.“ or something like that. Now you have the „right“ keyboard layout to use some fancy keys. ;)

New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sd2

My encryped RAID volume becomes sd2 because sd1 is my flash drive I installed OpenBSD from.

You can now jump back (exit shell) to the install routine.

exit

Just go on with setting the hostname and so on. Install OpenBSD in your sd2 or what ever it will be in your case. Lazy as an OpenBSD slacker you create just a root partion. Choose custom layout to create an a partition in your sd2. In „normal“ disklabel

>a a
<enter> for default ofset of [64]
<enter> for default size (depends on the size of ssd/hdd)
<enter> for default file system type (4.2BSD)
/ for your custom mount point
>w q for write and quit disklabel

Your b partion will be outside your „encryped RAID“ and OpenBSD installer will not find it automaticly. In case of me sd0b.

Edit your fstab like a pro:

sed 's/rw/rw,softdep,noatime/g' /mnt/etc/fstab > /mnt/a
echo '/dev/sd0b none swap sw 0 0' >> /mnt/a
mv /mnt/a /mnt/etc/fstab

Reboot your machine and praise the OpenBSD guys. :)

7 Gedanken zu „OpenBSD 5.7 full encrypted hdd“

  1. Seems to have worked using a current snapshot (soon to be 5.8) installing from CD-ROM. The mechanical hard drive was /dev/wd0. The encrypted / partition was recognised as sd0

    On the rebooted system, disklabel sd0 shows just a and c with a the / partition and disklabel wd0 shows a as RAID, b as swap and c.

    Cheers

  2. I’m looking for full-disk encryption, as if someone were to steal my notebook they could potentially access the data stored on it. Another reason is that I’m not always next to my notebook, so someone could potentially compromise the integrity of my netbook. These are the two major issues which make me believe that full-disk encryption is important for me.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.