DISK ENCRYPTION(7) Miscellaneous Information Manual DISK ENCRYPTION(7)

Full Disk Encryption on OpenBSDa slightly more complex walkthrough of full disk encryption on OpenBSD, covering multiple hard disks.

I recently installed OpenBSD 7.0 for the purpose of using it as a personal NAS. I used multiple hard drives, configuring each with full-disk encryption. I'm sharing the steps I took for future reference and to help anyone who might want to try something similar.

  1. The Setup
  2. DISK 1 (sd0)
  3. DISK 2 (sd1)
  4. DISK 3 (sd2)
  5. Reboot
  6. Post Install: First Boot, First Error
  7. Post Install: Subsequent Successful Boots

My installation included three hard drives: sd0 (1TB HDD), sd1 (8TB HDD), and sd2 (8TB HDD). My idea was to install OpenBSD on sd0, use sd1 as my NAS, and sd2 for backups. I wanted my partition table to look like the following:

Hard Disk Mount
(sd0) / 5.0G
(sd0) swap 8.5G
(sd0) /home 931.5G
(sd0) /tmp 5.0G
(sd0) /usr/X11R6 1.0G
(sd0) /usr/local 20.0G
(sd0) /usr/src 2.0G
(sd0) /usr/obj 6.0G
(sd0) /var 20.0G
(sd1) /var/www/NAS/data 8.0T
(sd2) /storage 8.0T

Broadly, the steps for each disk are similar and as follows:

  1. use the installation media to drop into the shell prior to the installation
  2. check if OpenBSD recognizes the hard disks
  3. overwrite the entire disk with random data
  4. write a default Master Boot Record (MBR) boot code to the disk
  5. create an initial partition layout, allocating all available disk space
  6. create a new encrypted device over the disk
  7. create a new pseudo-device to access the encrypted disk
  8. clear the first megabyte of the pseudo-device for storing MBR data later
Once you burn the OpenBSD img onto a USB stick and boot up your machine with it, enter the shell before running through the installation and check if OpenBSD recognizes the hard disks: 
###
Welcome to the OpenBSD/amd64 7.0 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s
###
 .
 .
 .
# dmesg | grep "^[ws]d"
sd0 at scsibus1 targ 0 lun 0: <ATA, HUS722T1TALA600, RADE> naa.50014ee2bf33c9c8
sd0: 953869MB, 512 bytes/sector, 1953525168 sectors
sd1 at scsibus1 targ 2 lun 0: <ATA, WDC WD8001FZBX-0, 01.0> naa.5000cca0bed3d1ef
sd1: 7630885MB, 512 bytes/sector, 15628053168 sectors
sd2 at scsibus1 targ 3 lun 0: <ATA, WDC WD8001FZBX-0, 01.0> naa.5000cca0bef4f2c4
sd2: 7630885MB, 512 bytes/sector, 15628053168 sectors

Make OpenBSD recognize sd0 by creating a device file with the same name using the /dev/MAKEDEV script:

# sh /dev/MAKEDEV sd0

Then overwrite the entire disk with random data to prevent the posibility of space usage deductions:

# dd if=/dev/urandom of=/dev/rsd0c bs=1m

Use the fdisk command to write a default Master Boot Record (MBR) boot code to the disk. If this command is successful, you should see it return "Writing MBR at offset 0":

# fdisk -iy sd0

Now create an single partition layout on sd0 using RAID as the filetype, allocating all its available disk space:

# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
sd0> a a
offset: [64]
size: [1953525168] *
FS type: [4.2BSD] RAID
sd0*> w
sd0> q
It's time to encrypt the device using bioctl. You will be presented with the option to select a passphrase that you will use to decrypt the disk during future boot ups: 
# bioctl -c C -l sd0a softraid0
New passphrase: SD0_SECRETPASSPHRASE
Re-type passphrase: SD0_SECRETPASSPHRASE
sd3 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
sd3: 953869MB, 512 bytes/sector, 1953524576 sectors
softraid0: CRYPTO volume attached as sd3
Note that it created a new "pseudo-device" called sd3 (sd1 and sd2 are already taken by your other hard disks). Formally run the MAKEDEV script on this device:

# sh /dev/MAKEDEV sd3

Now clear the first megabyte of sd3 so you can store MBR data later during the actual OpenBSD install:

# dd if=/dev/zero of=/dev/rsd3c bs=1m count=1

The steps below will be very similar to the steps above. First make OpenBSD recognize sd1 by creating a device file with the same name using the /dev/MAKEDEV script:

# sh /dev/MAKDEV sd1

And then overwrite the entire disk with random data to prevent the space usage deductions:

# dd if=/dev/urandom of=/dev/rsd1c bs=1m

Use the fdisk command to write a default Master Boot Record (MBR) boot code to the disk:

# fdisk -iy sd1

Now create an single partition layout on sd0 using RAID as the filetype, allocating all its available disk space:

# disklabel -E sd1
Label editor (enter '?' for help at any prompt)
sd1> a a
offset: [64]
size: [15628053168] *
FS type: [4.2BSD] RAID
sd1*> w
sd1> q
Build an encrypted device on the sd1a partition using bioctl. It will ask for a password, and you can choose the same password you used for sd0 or you can create an entirely new one: 
# bioctl -c C -l sd1a softraid0
New passphrase: SD1_SECRETPASSPHRASE
Re-type passphrase: SD1_SECRETPASSPHRASE
sd4 at scsibus3 targ 2 lun 0: <OPENBSD, SR CRYPTO, 006>
sd4: 7630885MB, 512 bytes/sector, 15628052576 sectors
softraid0: CRYPTO volume attached as sd4
Note that bioctl created a new "pseudo-device" called sd4. Formally run the MAKEDEV script on this device:

# sh /dev/MAKEDEV sd4

Now clear the first megabyte of sd3 so you can store MBR data later during the actual OpenBSD install:

# dd if=/dev/zero of=/dev/rsd4c bs=1m count=1

The steps below will be very similar to the steps for sd0 and sd1 above. First make OpenBSD recognize sd1 by creating a device file with the same name using the /dev/MAKEDEV script:

# sh /dev/MAKDEV sd2

And then overwrite the entire disk with random data to prevent the space usage deductions:

# dd if=/dev/urandom of=/dev/rsd2c bs=1m

Use the fdisk command to write a default Master Boot Record (MBR) boot code to the disk:

# fdisk -iy sd2

Now create an single partition layout on sd0 using RAID as the filetype, allocating all its available disk space:

# disklabel -E sd2
Label editor (enter '?' for help at any prompt)
sd2> a a
offset: [64]
size: [15628053168] *
FS type: [4.2BSD] RAID
sd2*> w
sd2> q
Build an encrypted device on the sd1a partition using bioctl. It will ask for a password, and just like for the previous disk, you can choose the same password you used for sd0 or you can create an entirely new one: 
# build an encrypted device, named softraid0, using the sd2a partition.
# bioctl -c C -l sd2a softraid0
New passphrase: SD2_SECRETPASSPHRASE
Re-type passphrase: SD2_SECRETPASSPHRASE
sd5 at scsibus3 targ 3 lun 0: <OPENBSD, SR CRYPTO, 006>
sd5: 7630885MB, 512 bytes/sector, 15628052576 sectors
softraid0: CRYPTO volume attached as sd5
Note that bioctl created a new "pseudo-device" called sd5. Formally run the MAKEDEV script on this device:

# sh /dev/MAKEDEV sd5

Now clear the first megabyte of sd3 so you can store MBR data later during the actual OpenBSD install:

# dd if=/dev/zero of=/dev/rsd5c bs=1m count=1

Now reboot your machine. This time, proceed with the installation. When it asks what disk you want to install OpenBSD on, choose sd3, which is the first pseudo-device you created. Afterwards, make sure you select the optiont o create a custom partition layout:

###
Welcome to the OpenBSD/amd64 7.0 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? i
###
 .
 .
 .
Available disks are: sd0 sd1 sd2 sd3 sd4 sd5
Which disk is the root disk? (`?` for details [sd0] sd3
No valid MBR or GPT.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]
Setting OpenBSD MBR partition to whole sd3...done.
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] c
This drops you into the disklabel program. Type 'z' to clear the automatically generated partition table, then type 'a' to create a new partition and follow the steps. Once you're done creating partitions for the first device, sd3, the disklabel program will ask you if you want to modify any other disks. Use this opportunity to run disklabel on devices sd4 and sd5, making sure to partition and assign them with the appropriate mount points.

On the very first boot, you will experiance an filesystem check (fsck) error. This is normal. During the installation, OpenBSD created fstab entries that point to encrypted disks. However, these are encrypted, and we only access them via the pseudo-devices. We need to edit /etc/fstab so that OpenBSD skips filesystem checks on our encrypted disks. In our example, to edit /etc/fstab, we mount sd0a (the root partition) and then /dev/sd3f (which contains /usr) so we can use the vi editor that is included in base OpenBSD installations:

# export TERM=vt220
# mount /dev/sd0a /
# mount /dev/sd3f /usr
# vi /etc/fstab
Edit /etc/fstab so that the last number is 0 for the second and third hard disks, which will cause OpenBSD to skip fsck on boot. 
# cat /etc/fstab
86f91b23ad091ef7.b none swap sw
86f91b23ad091ef7.a / ffs rw 1 1
6d4f8b4c52811199.a /var/www/NAS/data ffs rw,nodev,nosuid 1 0
86f91b23ad091ef7.k /home ffs rw,nodev,nosuid 1 2
3b784d9a903d0f8c.a /storage ffs rw,nodev,nosuid 1 0
86f91b23ad091ef7.d /tmp ffs rw,nodev,nosuid 1 2
86f91b23ad091ef7.f /usr ffs rw,nodev 1 2
86f91b23ad091ef7.g /usr/X11R6 ffs rw,nodev 1 2
86f91b23ad091ef7.h /usr/local ffs rw,wxallowed,nodev 1 2
86f91b23ad091ef7.j /usr/obj ffs rw,nodev,nosuid 1 2
86f91b23ad091ef7.i /usr/src ffs rw,nodev,nosuid 1 2
86f91b23ad091ef7.e /var ffs rw,nodev,nosuid 1 2

Going forward, you should be able to boot normally. However, once you login, you will only have access to the disk that you installed OpenBSD on -- in this case, sd3. To mount the second and third hard disks, run the following commands after you have finished booting (note that in this example I am mounting /dev/sd4a to an area for my NAS, and /dev/sd5a to an area that will house backups):

# bioctl -c C -l /dev/sd1a softraid0
Password:
softraid0: CRYPTO volume attached as sd4
# mount /dev/sd4a /var/www/NAS/data

# bioctl -c C -l /dev/sd2a softraid0
Password:
softraid0: CRYPTO volume attached as sd5
# mount /dev/sd5a /backups
Congratulations. Now you are done.
December 28, 2021 dfdx