OpenBSD laptops... encrypting every partition except / with softraid during install Date Written: Nov 29, 2009 In this example, wd0 is the laptop's physical hard disk and sd1 is the logical softraid volume. ----------------------------------------------------------------------- 1. Boot bsd.rd from a recent i386 or amd64 snapshot... 4.6-release works too. 2. When prompted by the installer, select (S)hell. When you have a shell, follow these steps: # fdisk -iy wd0 # disklabel -E wd0 a a (Create a small "a partition" to be used for / e.g. 128MB) a b (Create a swap "b partition") a d (Create a large "d partition" of type RAID using the remaining space) # bioctl -c C -r 65536 -l /dev/wd0d softraid0 # exit 3. Now, select (I)nstall and follow the typical OpenBSD install steps. Select wd0 when prompted for the 'root disk' using the whole disk with a custom partition layout. Modify wd0a (m a) changing the mount point to / 4. Select sd1 when prompted about using other 'available disks'. Use the whole disk with an automatic partition layout. Modify 'a' changing the size to match that of / and changing the mount point to /altroot. Delete 'b' as swap has already been defined. 5. Install the sets and then reboot. 6. Upon each subsequent boot, when you are dumped to a shell, enter this: # bioctl -c C -l /dev/wd0d softraid0 && exit Or, if you had an unclean shutdown enter this: # bioctl -c C -l /dev/wd0d softraid0 && fsck -fp && exit ----------------------------------------------------------------------- To automate this at boot time, create a file in /bin named 'decrypt' and chmod it 700. The file contents should look like this: #!/bin/sh bioctl -c C -l /dev/wd0d softraid0 Now at each boot, when you get a shell, type this and the passphrase when prompted: decrypt && exit ----------------------------------------------------------------------- Notes The algorithm used by softraid crypto is AES. The mode is XTS. OpenBSD encrypts swap by default. So in this example wd0b is encrypted. If you installed OpenBSD from a bootable USB stick that is identified as sd0 (as I did in this example) then you'll need to change sd1 to sd0 in /etc/fstab or things won't work when you remove the USB stick. The opposite may be true if you add an external USB disk later. This is a known issue that OpenBSD developers are working on. For now, if there is a device change at boot, just edit /etc/fstab to fix it: ed /etc/fstab ,s/sd1/sd0/g w q In this example, there is a small 128MB clear-text partition on the disk. This is where / is mounted and where the kernel and other basic software resides. This is not a huge concern. However, if the thought of that space bothers you, you might do something like this to prevent data from being accidentally written to this space: cd / && dd if=/dev/arandom of=filler bs=1m count=80 Understand that these directories are all clear-text: / /bin /dev /etc /mnt /root /sbin /stand Good practice, and should have occurred after bioctl command in step 1 but the installer has issues with this: # dd if=/dev/zero of=/dev/rsd1c bs=1m count=1 Use of the bioctl crypto discipline is currently considered experimental, but in my testing works well for day to day use. Copyright 2009 16Systems