Open in app

Sign in

Write

Sign in

OpenBSD, Laptops, and You

Sarala Saraswati
5 min readOct 30, 2019

--

Part 2 — Drive Encryption

IMPORTANT:

Following these instructions will irrevocably destroy all existing data on your computer’s internal storage device. Make backups if you care about this data!

These instructions have been tested on OpenBSD 6.6 but should work on recent prior and subsequent versions as well.

Be prepared to repeat this tutorial multiple times as it is entirely possible to make a simple mistake requiring you to restart the installation from scratch.

Within code blocks, all text in bold is intended to be entered by you. All non-bold text is what you should expect to see if everything is going according to plan.

This guide assumes your internal storage device is represented as sd0 within the OpenBSD system. In section 1.1 we cover how to determine the correct device node for your system but this warning bears repeating!

1.0 Configuring Full-Disk Encryption

Now that we’ve created a bootable flash drive containing the installation media and booted our system we are greeted with the following:

Welcome to the OpenBSD/amd64 6.6 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?

Since we’re planning to do fancy encryption things we can’t just jump right in and start installing, however. First, we’ll need to drop into a shell and take care of some pre-installation configuration.

At this point, let me be the first to welcome you to the world of OpenBSD where change happens slowly. This is both good and bad, of course. The upside is that since the OpenBSD way changes very slowly over the years you’ll build up a huge store of useful knowledge if you stick with it. The downside is that you have to be a little more thoughtful in your choices about what hardware to purchase as the new shiny will probably be the reliable, utilitarian workhorse by the time OpenBSD gets around to supporting it.

1.1 Enabling Full-Disk Encryption

So, what next? Well, back at our console display we’ll drop into a shell like so:

Welcome to the OpenBSD/amd64 X.X installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s

At this point, if you want to see all the storage devices attached to your system you can run the following command:

dmesg | grep "^[ws]d"

You might know this already, but the dmesg command prints the list of all the messages the kernel has produced since booting, most of which have been produced by device drivers. Here we’re passing these messages through the grep command which allows us to search text data for lines matching a regular expression.

Next we’ll create a device node that will allow us to talk to the system’s internal storage. My internal storage device is listed as sd0 so I’ll use this value in the following examples. You should change this to whichever device node the dmesg command mentioned above indicates is a match with the characteristics of your internal storage.

What we’re doing here is creating a label in the filesystem that will allow us to interact with the device from the shell. Since device nodes live in the /dev folder we’ll change to that directory and run the MAKEDEV command to create the sd0 device node:

cd /dev && sh MAKEDEV sd0

1.2 (Optional) Cleaning up After Previous Installs

If you’re like me and sometimes make mistakes during convoluted technical processes like this one you’ll want to wipe your internal storage and overwrite any existing encrypted softraid partitions before you proceed. To check for any existing partitions you need to wipe before proceeding you can use thedisklabel command:

disklabel -E sd0
sd0> p

What you should see after executing this command is a single 'c:' unused partition taking up the entire disk like so:

OpenBSD area: 64–488392065; size: 4883920001; free: 483920001
#    size        offset   fstype [fsize bsize cpg]
c:   488397168   0        unused

If you see any additional partitions like 'a:', 'b:, 'd:', etc… you need to delete them. We don’t, however, need to delete the 'c:' partition as it represents all of our unused space.

If you see any unwanted partitions you can delete them one-by-one by repeating the process below which deletes the 'a:' partition.

OpenBSD area: 64–488392065; size: 488392001; free: 0
#    size        offset   fstype [fsize bsize cpg]
a:   488392001   64       RAID
c:   488397168   0        unusedsd0> d a
sd0*> w
sd0> q

You’ll then need to overwrite the first few megabytes of unused space to ensure no remnants of old encrypted softraid partitions are left to be found which can trip-up the installation process later on. You’ll notice this is happening if you get asked for the password for the old encrypted softraid device later on in this walkthrough. That we might encounter such an issue is a clear indication we’re working pretty close to the device level here relative to most operating systems.

dd if=/dev/zero of=/dev/rsd0c bs=1m count=1

1.3 (optional) Overwrite existing data

If you’d like to ensure any existing data on the storage device is maximally unrecoverable in the future you can overwrite the disk with randomly generated data.

NOTE: Depending on the size and speed of your internal storage this can take 10s of minutes to hours, or even days. If you plan to wipe a multi-terrabyte spinny disk you should set the process going before you go to bed for the night or leave for a long weekend getaway. For a relatively small (256GB or so) fast SSD or NVMe drive the process should take around 30 minutes.

dd if=/dev/urandom of=/dev/rsd0c bs=1m

1.4 Initialize the disk

In this example we’ll initialize the disk with an MBR partition since it works on older hardware and we’re running a dedicated OpenBSD system.

fdisk -iy sd0

Next we’ll create a single softraid partition utilizing the entire device excepting the first 64 blocks which contain the newly created Master Boot Record:

disklabel -E sd0
Label editor (enter ‘?’ for help at any prompt)
sd0> a a 
offset: [64] 64
size: [39825135] *
FS type: [4.2BSD] RAID
sd0> w
sd0> q
No label changes.

We chose RAID as the file system type since disk encryption is handled by OpenBSD’s software RAID device. Next, we’ll initialize this softraid device as encrypted storage using the bioctl command:

bioctl -c C -l sd0a softraid0
New passphrase: ch0ose_A_good_p@ssword!
Re-type passphrase: ch0ose_A_good_p@ssword!
sd2 at scsi2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 005> SCSI2 0/direct
sd2: 19445MB, 512 bytes/sector, 39824607 sectors
softraid0: CRYPTO volume attached as sd2

In the example above the encrypted device was assigned the device node sd2

Be sure to pay careful attention to the output on your screen as it might be different and you’ll need to use the correct value later in this walkthrough!

Next, we’ll create a device node for our new encrypted device:

cd /dev && sh MAKEDEV sd2

At this point, we’re almost ready to begin the install. The last step overwrites the first megabyte of the new softraid device to ensure whatever randomness is there doesn’t happen to look like meaningful, if corrupt, partition data to the OpenBSD system. This is super unlikely but possible so better safe than sorry.

dd if=/dev/zero of=/dev/rsd2c bs=1m count=1
exit

And with that we’re done! Once we type the exit command and hit enter we’re presented with the same console display we encountered at the beginning of this section.

Welcome to the OpenBSD/amd64 X.X installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?

In the next section, we’ll continue our walkthrough and install OpenBSD.

See you there!

Openbsd

 by the author.

--

--

Sarala Saraswati

Written by Sarala Saraswati

15 Followers

Sarala Saraswati is the pen name of a writer, technologist, and avid student of esoteric hermeneutics living in Reykjavik, Iceland.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams