Update 2022-10-22: As of the 7.2 release, OpenBSD supports booting from an encrypted RAID 1. The procedure below therefore becomes obsolete.
The following procedure partitions two hard disks (
sd0
,
sd1
) in an unencrypted (
sd3
) and encrypted RAID 1 (
sd4
+
sd5
) for OpenBSD, assuming that you’re installing from a USB drive (
sd0
). It seems that booting from an encrypted RAID 1 is not supported as of OpenBSD 6.7, therefore the root partition needs to be unencrypted. This setup is basically a modified version of
https://research.kudelskisecurity.com/2013/09/19/softraid-and-crypto-for-openbsd-5-3/
-
- After booting the installer, press S to enter the shell.
-
# cd /dev
- Create the sd devices:
# sh MAKEDEV sd0 sd1 sd2 sd3 sd4 sd5
- Check which device is your USB drive with the installer on it:
# disklabel sd0
[...]
# disklabel sd1
[...]
# disklabel sd2
[...]
Look for the line label:
. In my case, sd2
is the USB device.
- Delete previous data on disks, if exists:
# dd if=/dev/zero of=/dev/rsd0c count=1 bs=1M
# dd if=/dev/zero of=/dev/rsd1c count=1 bs=1M
- If you made mistakes during partitioning earlier, reboot at this stage.
- Create GPT partition tables:
# fdisk -iy sd0
# fdisk -iy sd1
- Partition
sd0
, and repeat for sd1
. Partition a
is going to contain the unencrypted root, partition b
the encrypted other partitions.
# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
sd0> a a
offset: [1024]
size: [976772081] 4G
FS type: [4.2BSD] RAID
sd0*>a b
offset: [8401995]
size: [968366070]
FS type: [4.2BSD] RAID
sd0*> w
sd0> q
No label Changes.
- Create both RAID 1 devices:
# bioctl -c 1 -l sd0a,sd1a softraid0
[...]
sofraid0: RAID 1 volume attached as sd3
# bioctl -c 1 -l sd0b,sd1b softraid0
[...]
sofraid0: RAID 1 volume attached as sd4
sd3
will be the unencrypted root, sd4
will contain another encrypted softraid0.
- Remove garbage from the RAID 1 partitions:
# dd if=/dev/zero of=/dev/rsd3c count=1 bs=1M
# dd if=/dev/zero of=/dev/rsd4c count=1 bs=1M
- Partition
sd3
to be used as the root partition. Use all available space.
# disklabel -E sd3
Label editor (enter '?' for help at any prompt)
sd3> a a
offset: [0]
size: [2102963]
FS type: [4.2BSD]
sd3*> w
sd3> q
No label changes.
- Partition
sd4
to be used for all other encrypted partitions. Use all available space.
# disklabel -E sd4
Label editor (enter '?' for help at any prompt)
sd4> a a
offset: [0]
size: [974668062]
FS type: [4.2BSD] RAID
sd4*> w
sd4> q
No label changes.
- Finally, let’s create the encrypted softraid:
# bioctl -c C -l sd4a softraid0
[...]
sofraid0: CRYPTO volume attached as sd5
- Run
install
to start the installer.
- When asked for the disk to install on, first select
sd3
and use (W)hole disk. I split the space into a 2 GB root and 2 GB swap partition.
- Then partition
sd5
and use (W)hole disk again. Add partitions as you like. I prefer a simplified layout:
a d #8 GB for /tmp
a e #20GB for /var
a f #20GB for /usr
a g #remaining space, /home
w
q
- Complete setup
- The boot will fail, because the partitions cannot be decrypted. Open a shell by entering
sh
and run bioctl -c C -l /dev/sd3a softraid0 && exit
. To help decrypting during boot, you can create a file /sbin/decrypt
with the following content:
#!/bin/sh
bioctl -c C -l /dev/sd3a softraid0