The following procedure partitions two hard disks (sd0
, sd1
) in an unencrypted (sd3
) and encrypted RAID 1 (sd4
+ sd5
) for OpenBSD, assuming that you’re installing from a USB drive (sd0
). It seems that booting from an encrypted RAID 1 is not supported as of OpenBSD 6.7, therefore the root partition needs to be unencrypted. This setup is basically a modified version of https://research.kudelskisecurity.com/2013/09/19/softraid-and-crypto-for-openbsd-5-3/
-
- After booting the installer, press S to enter the shell.
-
# cd /dev
- Create the sd devices:
# sh MAKEDEV sd0 sd1 sd2 sd3 sd4 sd5
- Check which device is your USB drive with the installer on it:
# disklabel sd0
[...]
# disklabel sd1
[...]
# disklabel sd2
[...]Look for the line
label:
. In my case,sd2
is the USB device. - Delete previous data on disks, if exists:
# dd if=/dev/zero of=/dev/rsd0c count=1 bs=1M
# dd if=/dev/zero of=/dev/rsd1c count=1 bs=1M - If you made mistakes during partitioning earlier, reboot at this stage.
- Create GPT partition tables:
# fdisk -iy sd0
# fdisk -iy sd1 - Partition
sd0
, and repeat forsd1
. Partitiona
is going to contain the unencrypted root, partitionb
the encrypted other partitions.# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
sd0> a a
offset: [1024]
size: [976772081] 4G
FS type: [4.2BSD] RAID
sd0*>a b
offset: [8401995]
size: [968366070]
FS type: [4.2BSD] RAID
sd0*> w
sd0> q
No label Changes. - Create both RAID 1 devices:
# bioctl -c 1 -l sd0a,sd1a softraid0
[...]
sofraid0: RAID 1 volume attached as sd3
# bioctl -c 1 -l sd0b,sd1b softraid0
[...]
sofraid0: RAID 1 volume attached as sd4sd3
will be the unencrypted root,sd4
will contain another encrypted softraid0. - Remove garbage from the RAID 1 partitions:
# dd if=/dev/zero of=/dev/rsd3c count=1 bs=1M
# dd if=/dev/zero of=/dev/rsd4c count=1 bs=1M - Partition
sd3
to be used as the root partition. Use all available space.# disklabel -E sd3
Label editor (enter '?' for help at any prompt)
sd3> a a
offset: [0]
size: [2102963]
FS type: [4.2BSD]
sd3*> w
sd3> q
No label changes. - Partition
sd4
to be used for all other encrypted partitions. Use all available space.# disklabel -E sd4
Label editor (enter '?' for help at any prompt)
sd4> a a
offset: [0]
size: [974668062]
FS type: [4.2BSD] RAID
sd4*> w
sd4> q
No label changes. - Finally, let’s create the encrypted softraid:
# bioctl -c C -l sd4a softraid0
[...]
sofraid0: CRYPTO volume attached as sd5 - Run
install
to start the installer. - When asked for the disk to install on, first select
sd3
and use (W)hole disk. I split the space into a 2 GB root and 2 GB swap partition. - Then partition
sd5
and use (W)hole disk again. Add partitions as you like. I prefer a simplified layout:a d #8 GB for /tmp a e #20GB for /var a f #20GB for /usr a g #remaining space, /home w q
- Complete setup
- The boot will fail, because the partitions cannot be decrypted. Open a shell by entering
sh
and runbioctl -c C -l /dev/sd3a softraid0 && exit
. To help decrypting during boot, you can create a file/sbin/decrypt
with the following content:#!/bin/sh
bioctl -c C -l /dev/sd3a softraid0