Monthly Archives: August 2020

Install OpenBSD on (mostly) encrypted RAID1 from USB

Posted on by
Update 2022-10-22: As of the 7.2 release, OpenBSD supports booting from an encrypted RAID 1. The procedure below therefore becomes obsolete. The following procedure partitions two hard disks (sd0, sd1) in an unencrypted (sd3) and encrypted RAID 1 (sd4 + sd5) for OpenBSD, assuming that you’re installing from a USB drive (sd0). It seems that booting from an encrypted RAID 1 is not supported as of OpenBSD 6.7, therefore the root partition needs to be unencrypted. This setup is basically a modified version of https://research.kudelskisecurity.com/2013/09/19/softraid-and-crypto-for-openbsd-5-3/
    1. After booting the installer, press S to enter the shell.
    2. # cd /dev
    3. Create the sd devices: 
      # sh MAKEDEV sd0 sd1 sd2 sd3 sd4 sd5
    4. Check which device is your USB drive with the installer on it: 
      # disklabel sd0
[...]
# disklabel sd1
[...]
# disklabel sd2
[...]
      Look for the line label:. In my case, sd2 is the USB device.
    5. Delete previous data on disks, if exists: 
      # dd if=/dev/zero of=/dev/rsd0c count=1 bs=1M
# dd if=/dev/zero of=/dev/rsd1c count=1 bs=1M
    6. If you made mistakes during partitioning earlier, reboot at this stage.
    7. Create GPT partition tables: 
      # fdisk -iy sd0
# fdisk -iy sd1
    8. Partition sd0, and repeat for sd1. Partition a is going to contain the unencrypted root, partition b the encrypted other partitions. 
      # disklabel -E sd0
Label editor (enter '?' for help at any prompt)
sd0> a a
offset: [1024]
size: [976772081] 4G
FS type: [4.2BSD] RAID
sd0*>a b
offset: [8401995]
size: [968366070]
FS type: [4.2BSD] RAID
sd0*> w
sd0> q
No label Changes.
    9. Create both RAID 1 devices: 
      # bioctl -c 1 -l sd0a,sd1a softraid0
[...]
sofraid0: RAID 1 volume attached as sd3
# bioctl -c 1 -l sd0b,sd1b softraid0
[...]
sofraid0: RAID 1 volume attached as sd4
      sd3 will be the unencrypted root, sd4 will contain another encrypted softraid0.
    10. Remove garbage from the RAID 1 partitions: 
      # dd if=/dev/zero of=/dev/rsd3c count=1 bs=1M
# dd if=/dev/zero of=/dev/rsd4c count=1 bs=1M
    11. Partition sd3 to be used as the root partition. Use all available space. 
      # disklabel -E sd3
Label editor (enter '?' for help at any prompt)
sd3> a a
offset: [0]
size: [2102963] 
FS type: [4.2BSD]
sd3*> w
sd3> q
No label changes.
    12. Partition sd4 to be used for all other encrypted partitions. Use all available space. 
      # disklabel -E sd4
Label editor (enter '?' for help at any prompt)
sd4> a a
offset: [0]
size: [974668062] 
FS type: [4.2BSD] RAID
sd4*> w
sd4> q
No label changes.
    13. Finally, let’s create the encrypted softraid: 
      # bioctl -c C -l sd4a softraid0
[...]
sofraid0: CRYPTO volume attached as sd5
    14. Run install to start the installer.
    15. When asked for the disk to install on, first select sd3 and use (W)hole disk. I split the space into a 2 GB root and 2 GB swap partition.
    16. Then partition sd5 and use (W)hole disk again. Add partitions as you like. I prefer a simplified layout: 
      a d   #8 GB for /tmp
a e   #20GB for /var
a f   #20GB for /usr
a g   #remaining space, /home
w
q
    17. Complete setup
    18. The boot will fail, because the partitions cannot be decrypted. Open a shell by entering sh and run bioctl -c C -l /dev/sd3a softraid0 && exit. To help decrypting during boot, you can create a file /sbin/decrypt with the following content: 
      #!/bin/sh
bioctl -c C -l /dev/sd3a softraid0