If you have an OpenBSD running on (mostly) encrypted RAID1 partitions like I described in https://sven-seeberg.de/wp/?p=1018, the unattended system upgrade triggered by sysupgrade will fail after rebooting into install mode. Without interaction, the system is stuck in a reboot loop. To continue with the upgrade process, follow these instructions:

1. When the error message appears that the system cannot continue, hit Control + C to prevent the system from rebooting. You should now have a shell.
2. Decrypt the softraid: bioctl -c C -l /dev/sd3a softraid0
3. Hit Control + D or type exit

The unattended upgrade should continue normally without any further interaction.

The following procedure partitions two hard disks (sd0, sd1) in an unencrypted (sd3) and encrypted RAID 1 (sd4 + sd5) for OpenBSD, assuming that you’re installing from a USB drive (sd0). It seems that booting from an encrypted RAID 1 is not supported as of OpenBSD 6.7, therefore the root partition needs to be unencrypted. This setup is basically a modified version of https://research.kudelskisecurity.com/2013/09/19/softraid-and-crypto-for-openbsd-5-3/

1. 1. After booting the installer, press S to enter the shell.

   2. # cd /dev

   3. Create the sd devices:

      # sh MAKEDEV sd0 sd1 sd2 sd3 sd4 sd5

   4. Check which device is your USB drive with the installer on it:

      # disklabel sd0
      [...]
      # disklabel sd1
      [...]
      # disklabel sd2
      [...]
      

      Look for the line label:. In my case, sd2 is the USB device.

   5. Delete previous data on disks, if exists:

      # dd if=/dev/zero of=/dev/rsd0c count=1 bs=1M
      # dd if=/dev/zero of=/dev/rsd1c count=1 bs=1M

   6. If you made mistakes during partitioning earlier, reboot at this stage.
   7. Create GPT partition tables:

      # fdisk -iy sd0
      # fdisk -iy sd1

   8. Partition sd0, and repeat for sd1. Partition a is going to contain the unencrypted root, partition b the encrypted other partitions.

      # disklabel -E sd0
      Label editor (enter '?' for help at any prompt)
      sd0> a a
      offset: [1024]
      size: [976772081] 4G
      FS type: [4.2BSD] RAID
      sd0*>a b
      offset: [8401995]
      size: [968366070]
      FS type: [4.2BSD] RAID
      sd0*> w
      sd0> q
      No label Changes.

   9. Create both RAID 1 devices:

      # bioctl -c 1 -l sd0a,sd1a softraid0
      [...]
      sofraid0: RAID 1 volume attached as sd3
      # bioctl -c 1 -l sd0b,sd1b softraid0
      [...]
      sofraid0: RAID 1 volume attached as sd4
      

      sd3 will be the unencrypted root, sd4 will contain another encrypted softraid0.

   10. Remove garbage from the RAID 1 partitions:

       # dd if=/dev/zero of=/dev/rsd3c count=1 bs=1M
       # dd if=/dev/zero of=/dev/rsd4c count=1 bs=1M

   11. Partition sd3 to be used as the root partition. Use all available space.

       # disklabel -E sd3
       Label editor (enter '?' for help at any prompt)
       sd3> a a
       offset: [0]
       size: [2102963] 
       FS type: [4.2BSD]
       sd3*> w
       sd3> q
       No label changes.

   12. Partition sd4 to be used for all other encrypted partitions. Use all available space.

       # disklabel -E sd4
       Label editor (enter '?' for help at any prompt)
       sd4> a a
       offset: [0]
       size: [974668062] 
       FS type: [4.2BSD] RAID
       sd4*> w
       sd4> q
       No label changes.

   13. Finally, let’s create the encrypted softraid:

       # bioctl -c C -l sd4a softraid0
       [...]
       sofraid0: CRYPTO volume attached as sd5
       

   14. Run install to start the installer.
   15. When asked for the disk to install on, first select sd3 and use (W)hole disk. I split the space into a 2 GB root and 2 GB swap partition.
   16. Then partition sd5 and use (W)hole disk again. Add partitions as you like. I prefer a simplified layout:

       a d   #8 GB for /tmp
       a e   #20GB for /var
       a f   #20GB for /usr
       a g   #remaining space, /home
       w
       q

   17. Complete setup
   18. The boot will fail, because the partitions cannot be decrypted. Open a shell by entering sh and run bioctl -c C -l /dev/sd3a softraid0 && exit. To help decrypting during boot, you can create a file /sbin/decrypt with the following content:

       #!/bin/sh
       bioctl -c C -l /dev/sd3a softraid0

I really like the approach of Passbolt to manage passwords with PGP. Passbolt also has a decent API that enables some scripting, and some basic Python packages already exist.

That made me wonder if I could use Passbolt as a password safe for Saltstack. After some research, I came up with a pretty simple Python script that renders Pillars from Passbolt groups. After installing https://github.com/netzbegruenung/passbolt-salt, you need to add the following lines to a Pillar SLS file:

#!py
def run():
    from salt_passbolt import fetch_passbolt_passwords
    # The following UUID is the UUID of a Passbolt group
    return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c") 

With that, you can access passwords in states with Jinja:

{{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}

I have to admit that addressing groups and passwords with UUIDs is not the most convenient way, but it definitely works.

Please note that the passwords are accessible to all servers that use this Pillar. Therefore create different Passbolt groups for your different servers.

For redundancy I am keeping the same PGP private key on multiple OpenPGP smart cards. Sadly, GnuPG does not provide a way to manage multiple smart cards for the same private key stub. Therefore, the management for the smart cards must be done manually. (This text does not cover creating multiple smart cards with the same device. Outline: I’m running the keytocard command multiple times on different smart cards.)

After importing the smart card on a device, the private key stubs are kept int the directory

~/.gnupg/private-keys-v1.d

To see which file belongs to which private (sub-)key, run

gpg --with-keygrip -K

Then move the files belonging to the smart card to backup locations, for example

cd ~/.gnupg/private-keys-v1.d 
mv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key.card1

Repeat this for all private keys stored on your smart card.

After that, unplug the first smart card and plug in the second smart card. Run

gpg --edit-card
fetch

Then run gpg –with-keygrip -K again and copy the newly created stub files files to new locations:

cd ~/.gnupg/private-keys-v1.d 
mv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.key.card2

Now you can copy the .card1 or card2 files over the original key file and by that switch the smart card. You can write a short bash script that automatically copies the correct key file. Example:

#!/bin/bash
touch ~/.gnupg/sc-toggle-status
SC=$(cat ~/.gnupg/sc-toggle-status)
if [ "$SC" == "card1" ]; then
  echo "card2" > .gnupg/sc-toggle-status
  find ~/.gnupg/private-keys-v1.d -name "*.card2" | while read f; do cp "$f" "${f%.card2}"; done
  echo "Switching to SmartCard 2"
else
  echo "card1" > .gnupg/sc-toggle-status
  find ~/.gnupg/private-keys-v1.d -name "*.card1" | while read f; do cp "$f" "${f%.card1}"; done
  echo "Switching to SmartCard 1"
fi

Def. emergence: A wild property appeared.

 

Gott sprach: Macht euch die Shell untertan!
Und er sah, dass es gut war.

 

Ein Foto pro Tag seit dem 27.6. Ich werde die Animation die nächsten Tage weiter verlängern/aktualisieren. Aufgenommen mit 1000D durch ein geliehenes 440mm Walimex, ganz dezent mit Gimp geschärft, mit Giotto zentriert und mit ImageMagic animiert.

 

Diese Bild veröffentliche ich mit folgender Lizenz:
Creative Commons BY-NC 3.0