Update 2022-10-22: As of the 7.2 release, OpenBSD supports booting from an encrypted RAID 1. The procedure below therefore becomes obsolete.
The following procedure partitions two hard disks (
sd1) in an unencrypted (
sd3) and encrypted RAID 1 (
sd5) for OpenBSD, assuming that you’re installing from a USB drive (
sd0). It seems that booting from an encrypted RAID 1 is not supported as of OpenBSD 6.7, therefore the root partition needs to be unencrypted. This setup is basically a modified version of https://research.kudelskisecurity.com/2013/09/19/softraid-and-crypto-for-openbsd-5-3/
- After booting the installer, press S to enter the shell.
# cd /dev
- Create the sd devices:
# sh MAKEDEV sd0 sd1 sd2 sd3 sd4 sd5
- Check which device is your USB drive with the installer on it:
# disklabel sd0 [...] # disklabel sd1 [...] # disklabel sd2 [...]
Look for the line
label:. In my case,
sd2is the USB device.
- Delete previous data on disks, if exists:
# dd if=/dev/zero of=/dev/rsd0c count=1 bs=1M # dd if=/dev/zero of=/dev/rsd1c count=1 bs=1M
- If you made mistakes during partitioning earlier, reboot at this stage.
- Create GPT partition tables:
# fdisk -iy sd0 # fdisk -iy sd1
sd0, and repeat for
ais going to contain the unencrypted root, partition
bthe encrypted other partitions.
# disklabel -E sd0 Label editor (enter '?' for help at any prompt) sd0> a a offset:  size:  4G FS type: [4.2BSD] RAID sd0*>a b offset:  size:  FS type: [4.2BSD] RAID sd0*> w sd0> q No label Changes.
- Create both RAID 1 devices:
# bioctl -c 1 -l sd0a,sd1a softraid0 [...] sofraid0: RAID 1 volume attached as sd3 # bioctl -c 1 -l sd0b,sd1b softraid0 [...] sofraid0: RAID 1 volume attached as sd4
sd3will be the unencrypted root,
sd4will contain another encrypted softraid0.
- Remove garbage from the RAID 1 partitions:
# dd if=/dev/zero of=/dev/rsd3c count=1 bs=1M # dd if=/dev/zero of=/dev/rsd4c count=1 bs=1M
sd3to be used as the root partition. Use all available space.
# disklabel -E sd3 Label editor (enter '?' for help at any prompt) sd3> a a offset:  size:  FS type: [4.2BSD] sd3*> w sd3> q No label changes.
sd4to be used for all other encrypted partitions. Use all available space.
# disklabel -E sd4 Label editor (enter '?' for help at any prompt) sd4> a a offset:  size:  FS type: [4.2BSD] RAID sd4*> w sd4> q No label changes.
- Finally, let’s create the encrypted softraid:
# bioctl -c C -l sd4a softraid0 [...] sofraid0: CRYPTO volume attached as sd5
installto start the installer.
- When asked for the disk to install on, first select
sd3and use (W)hole disk. I split the space into a 2 GB root and 2 GB swap partition.
- Then partition
sd5and use (W)hole disk again. Add partitions as you like. I prefer a simplified layout:
a d #8 GB for /tmp a e #20GB for /var a f #20GB for /usr a g #remaining space, /home w q
- Complete setup
- The boot will fail, because the partitions cannot be decrypted. Open a shell by entering
bioctl -c C -l /dev/sd3a softraid0 && exit. To help decrypting during boot, you can create a file
/sbin/decryptwith the following content:
#!/bin/sh bioctl -c C -l /dev/sd3a softraid0