Ryan Kavanagh's Blog

From: Ryan Kavanagh rak@debian.org  
To: Blog
Subject: Setting up full-disk encryption in OpenBSD 5.3
Date: 
X-Categories:  planet-ubuntu 

I recently decided to try out a snapshot of OpenBSD 5.3, intrigued by the notice that

softraid(4) RAID1 and crypto volumes are now bootable on i386 and amd64 (full disk encryption).

I’ve always used an encrypted LVM (as setup by the alternate CD) with a fully encrypted root on my netbook and laptop when running Debian/Kubuntu and never noticed much a performance hit. Unfortunately, I’m not the only one who has noticed a significant drop in performance with full-disk encryption on OpenBSD.

Although the steps required to setup full-disk encryption (as opposed to requiring manual intervention at boot or the equivalent of loop-mounted encrypted images via vnconfig(8)) on OpenBSD are not explicitly documented anywhere, searching through the mailing lists, man pages, and trial and error provided the following steps:

  1. Boot from your install media. Select the (S)hell option.
  2. Assuming the disk you’re installing to is ”wd0”, run fdisk -i wd0 if you’re on an i386. If I’m not mistaken, you can skip to the following step otherwise.
  3. Run disklabel -E wd0. Create a label (typically b) of the appropriate size of type swap for swap, and then add a label a using the remainder of the space of type RAID. We aren’t going to put swap on our crypto device since OpenBSD has encrypted the swap partition by default since 2005.
  4. Setup the crypto volume as described in bioctl(8). You will be prompted for a passphrase and presented with a message along the lines of softraid0: SR CRYPTO volume attached as sd0 on successful setup. I used bioctl -c C -l /dev/wd0a softraid0 where - -c C specifies a device with raidlevel “CRYPTO”, - -l /dev/wd0a specifies the label of type RAID created in step 3 to use for the CRYPTO device, and - softraid0 is the softraid device to configure (this value should work unless you already have a softraid0 device).
  5. exit from the shell and (I)nstall as normal, installing to the disk sd0 (or whichever disk the crypto volume got attached as). In the partitioning dialog, you may need to manually adjust things since the auto-partitioning creates an additional swap label on sd0, which we don’t need given we already have wd0b.
  6. Using ed(1), add the line 1a8bab44e9cc178d.b none swap sw to /mnt/etc/fstab, assuming that 1a8bab44e9cc178d is the DUID associated with wd0 (you can find this out by running sysctl hw.disknames, which will output something like hw.disknames=wd0:1a8bab44e9cc178d,cd0:,rd0:6ce80c78714fa32f,sd0:fce7bfa23c8ec20d; just search for the DUID associated with wd0). Alternatively, wait until you boot into your system, and add it to your /etc/fstab using vi(1) or mg(1).
  7. Reboot, and you’ll be prompted for your passhprase. You’re done!

Here’s a screenshot of steps 1 through 4.

Steps 1 through 4

Here’s a screenshot of the passphrase prompt, after successfully entering the passphrase:

Passphrase prompt

If I’ve made any errors in the steps above, please point them out in the comments below or by sending me an email.

--
|_)|_/  Ryan Kavanagh		| Debian Developer
| \| \  http://ryanak.ca/	| GPG Key 4A11C97A