{"id":1018,"date":"2020-08-15T16:41:40","date_gmt":"2020-08-15T14:41:40","guid":{"rendered":"https:\/\/sven-seeberg.de\/wp\/?p=1018"},"modified":"2022-10-22T10:20:46","modified_gmt":"2022-10-22T08:20:46","slug":"install-openbsd-on-mostly-encrypted-raid1-from-usb","status":"publish","type":"post","link":"https:\/\/sven-seeberg.de\/wp\/?p=1018","title":{"rendered":"Install OpenBSD on (mostly) encrypted RAID1 from USB"},"content":{"rendered":"Update 2022-10-22<\/strong>: As of the 7.2 release, OpenBSD supports booting from an encrypted RAID 1. The procedure below therefore becomes obsolete.\r\n\r\nThe following procedure partitions two hard disks (sd0<\/code>, sd1<\/code>) in an unencrypted (sd3<\/code>) and encrypted RAID 1 (sd4<\/code> + sd5<\/code>) for OpenBSD, assuming that you’re installing from a USB drive (sd0<\/code>). It seems that booting from an encrypted RAID 1 is not supported as of OpenBSD 6.7, therefore the root partition needs to be unencrypted. This setup is basically a modified version of https:\/\/research.kudelskisecurity.com\/2013\/09\/19\/softraid-and-crypto-for-openbsd-5-3\/<\/a>\r\n
    \r\n \t
  1. \r\n
      \r\n \t
    1. After booting the installer, press S to enter the shell.<\/li>\r\n \t
    2. \r\n
      # cd \/dev<\/pre>\r\n<\/li>\r\n \t
    3. Create the sd devices:\r\n
      # sh MAKEDEV sd0 sd1 sd2 sd3 sd4 sd5<\/pre>\r\n<\/li>\r\n \t
    4. Check which device is your USB drive with the installer on it:\r\n
      # disklabel sd0\r\n[...]\r\n# disklabel sd1\r\n[...]\r\n# disklabel sd2\r\n[...]<\/pre>\r\nLook for the line label:<\/code>. In my case, sd2<\/code> is the USB device.<\/li>\r\n \t
    5. Delete previous data on disks, if exists:\r\n
      # dd if=\/dev\/zero of=\/dev\/rsd0c count=1 bs=1M\r\n# dd if=\/dev\/zero of=\/dev\/rsd1c count=1 bs=1M<\/pre>\r\n<\/li>\r\n \t
    6. If you made mistakes during partitioning earlier, reboot at this stage.<\/li>\r\n \t
    7. Create GPT partition tables:\r\n
      # fdisk -iy sd0\r\n# fdisk -iy sd1<\/pre>\r\n<\/li>\r\n \t
    8. Partition sd0<\/code>, and repeat for sd1<\/code>. Partition a<\/code> is going to contain the unencrypted root, partition b<\/code> the encrypted other partitions.\r\n
      # disklabel -E sd0\r\nLabel editor (enter '?' for help at any prompt)\r\nsd0> a a\r\noffset: [1024]\r\nsize: [976772081] 4G\r\nFS type: [4.2BSD] RAID\r\nsd0*>a b\r\noffset: [8401995]\r\nsize: [968366070]\r\nFS type: [4.2BSD] RAID\r\nsd0*> w\r\nsd0> q\r\nNo label Changes.<\/pre>\r\n<\/li>\r\n \t
    9. Create both RAID 1 devices:\r\n
      # bioctl -c 1 -l sd0a,sd1a softraid0\r\n[...]\r\nsofraid0: RAID 1 volume attached as sd3\r\n# bioctl -c 1 -l sd0b,sd1b softraid0\r\n[...]\r\nsofraid0: RAID 1 volume attached as sd4<\/pre>\r\nsd3<\/code> will be the unencrypted root, sd4<\/code> will contain another encrypted softraid0.<\/li>\r\n \t
    10. Remove garbage from the RAID 1 partitions:\r\n
      # dd if=\/dev\/zero of=\/dev\/rsd3c count=1 bs=1M\r\n# dd if=\/dev\/zero of=\/dev\/rsd4c count=1 bs=1M<\/pre>\r\n<\/li>\r\n \t
    11. Partition sd3<\/code> to be used as the root partition. Use all available space.\r\n
      # disklabel -E sd3\r\nLabel editor (enter '?' for help at any prompt)\r\nsd3> a a\r\noffset: [0]\r\nsize: [2102963] \r\nFS type: [4.2BSD]\r\nsd3*> w\r\nsd3> q\r\nNo label changes.<\/pre>\r\n<\/li>\r\n \t
    12. Partition sd4<\/code> to be used for all other encrypted partitions. Use all available space.\r\n
      # disklabel -E sd4\r\nLabel editor (enter '?' for help at any prompt)\r\nsd4> a a\r\noffset: [0]\r\nsize: [974668062] \r\nFS type: [4.2BSD] RAID\r\nsd4*> w\r\nsd4> q\r\nNo label changes.<\/pre>\r\n<\/li>\r\n \t
    13. Finally, let’s create the encrypted softraid:\r\n
      # bioctl -c C -l sd4a softraid0\r\n[...]\r\nsofraid0: CRYPTO volume attached as sd5<\/pre>\r\n<\/li>\r\n \t
    14. Run install<\/code> to start the installer.<\/li>\r\n \t
    15. When asked for the disk to install on, first select sd3<\/code> and use (W)hole disk. I split the space into a 2 GB root and 2 GB swap partition.<\/li>\r\n \t
    16. Then partition sd5<\/code> and use (W)hole disk again. Add partitions as you like. I prefer a simplified layout:\r\n
      a d   #8 GB for \/tmp\r\na e   #20GB for \/var\r\na f   #20GB for \/usr\r\na g   #remaining space, \/home\r\nw\r\nq<\/pre>\r\n<\/li>\r\n \t
    17. Complete setup<\/li>\r\n \t
    18. The boot will fail, because the partitions cannot be decrypted. Open a shell by entering sh<\/code> and run bioctl -c C -l \/dev\/sd3a softraid0 && exit<\/code>. To help decrypting during boot, you can create a file \/sbin\/decrypt<\/code> with the following content:\r\n
      #!\/bin\/sh\r\nbioctl -c C -l \/dev\/sd3a softraid0<\/pre>\r\n<\/li>\r\n<\/ol>\r\n<\/li>\r\n<\/ol>","protected":false},"excerpt":{"rendered":"
      Update 2022-10-22: As of the 7.2 release, OpenBSD supports booting from an encrypted RAID 1. The procedure below therefore becomes obsolete. The following procedure partitions two hard disks (sd0, sd1) in an unencrypted (sd3) and encrypted RAID 1 (sd4 + … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1018","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1018","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1018"}],"version-history":[{"count":33,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1018\/revisions"}],"predecessor-version":[{"id":1139,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1018\/revisions\/1139"}],"wp:attachment":[{"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1018"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1018"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sven-seeberg.de\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1018"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}