I recently decided to try out a snapshot of OpenBSD 5.3, intrigued by the notice that
softraid(4) RAID1 and crypto volumes are now bootable on i386 and amd64 (full disk encryption).
I’ve always used an encrypted LVM (as setup by the alternate CD) with a fully encrypted root on my netbook and laptop when running Debian/Kubuntu and never noticed much a performance hit. Unfortunately, I’m not the only one who has noticed a significant drop in performance with full-disk encryption on OpenBSD.
Although the steps required to setup full-disk encryption (as opposed to requiring manual intervention at boot or the equivalent of loop-mounted encrypted images via
vnconfig(8)) on OpenBSD are not explicitly documented anywhere, searching through the mailing lists, man pages, and trial and error provided the following steps:
- Boot from your install media. Select the
- Assuming the disk you’re installing to is ”
fdisk -i wd0if you’re on an i386. If I’m not mistaken, you can skip to the following step otherwise.
disklabel -E wd0. Create a label (typically
b) of the appropriate size of type
swapfor swap, and then add a label
ausing the remainder of the space of type
RAID. We aren’t going to put
swapon our crypto device since OpenBSD has encrypted the swap partition by default since 2005.
- Setup the crypto volume as described in
bioctl(8). You will be prompted for a passphrase and presented with a message along the lines of
softraid0: SR CRYPTO volume attached as sd0on successful setup. I used
bioctl -c C -l /dev/wd0a softraid0where -
-c Cspecifies a device with raidlevel “CRYPTO”, -
-l /dev/wd0aspecifies the label of type RAID created in step 3 to use for the CRYPTO device, and -
softraid0is the softraid device to configure (this value should work unless you already have a
exitfrom the shell and
(I)nstallas normal, installing to the disk
sd0(or whichever disk the crypto volume got attached as). In the partitioning dialog, you may need to manually adjust things since the auto-partitioning creates an additional swap label on
sd0, which we don’t need given we already have
ed(1), add the line
1a8bab44e9cc178d.b none swap swto
/mnt/etc/fstab, assuming that
1a8bab44e9cc178dis the DUID associated with
wd0(you can find this out by running
sysctl hw.disknames, which will output something like
hw.disknames=wd0:1a8bab44e9cc178d,cd0:,rd0:6ce80c78714fa32f,sd0:fce7bfa23c8ec20d; just search for the DUID associated with
wd0). Alternatively, wait until you boot into your system, and add it to your
- Reboot, and you’ll be prompted for your passhprase. You’re done!
Here’s a screenshot of steps 1 through 4.
Here’s a screenshot of the passphrase prompt, after successfully entering the passphrase:
If I’ve made any errors in the steps above, please point them out in the comments below or by sending me an email.