Ryan Kavanagh's /dev/brain

I recently decided to try out a snapshot of OpenBSD 5.3, intrigued by the notice that

softraid(4) RAID1 and crypto volumes are now bootable on i386 and amd64 (full disk encryption).

I’ve always used an encrypted LVM (as setup by the alternate CD) with a fully encrypted root on my netbook and laptop when running Debian/Kubuntu and never noticed much a performance hit. Unfortunately, I’m not the only one who has noticed a significant drop in performance with full-disk encryption on OpenBSD.

Although the steps required to setup full-disk encryption (as opposed to requiring manual intervention at boot or the equivalent of loop-mounted encrypted images via vnconfig(8)) on OpenBSD are not explicitly documented anywhere, searching through the mailing lists, man pages, and trial and error provided the following steps:

Boot from your install media. Select the (S)hell option.
Assuming the disk you’re installing to is “wd0”, run fdisk -i wd0 if you’re on an i386. If I’m not mistaken, you can skip to the following step otherwise.
Run disklabel -E wd0. Create a label (typically b) of the appropriate size of type swap for swap, and then add a label a using the remainder of the space of type RAID. We aren’t going to put swap on our crypto device since OpenBSD has encrypted the swap partition by default since 2005.
Setup the crypto volume as described in bioctl(8). You will be prompted for a passphrase and presented with a message along the lines of softraid0: SR CRYPTO volume attached as sd0 on successful setup. I used bioctl -c C -l /dev/wd0a softraid0 where
- -c C specifies a device with raidlevel “CRYPTO”,
- -l /dev/wd0a specifies the label of type RAID created in step 3 to use for the CRYPTO device, and
- softraid0 is the softraid device to configure (this value should work unless you already have a softraid0 device).
exit from the shell and (I)nstall as normal, installing to the disk sd0 (or whichever disk the crypto volume got attached as). In the partitioning dialog, you may need to manually adjust things since the auto-partitioning creates an additional swap label on sd0, which we don’t need given we already have wd0b.
Using ed(1), add the line 1a8bab44e9cc178d.b none swap sw to /mnt/etc/fstab, assuming that 1a8bab44e9cc178d is the DUID associated with wd0.¹ Alternatively, wait until you boot into your system, and add it to your /etc/fstab using vi(1) or mg(1).
Reboot, and you’ll be prompted for your passhprase. You’re done!

Here’s a screenshot of steps 1 through 4.

Steps 1 through 4

Here’s a screenshot of the passphrase prompt, after successfully entering the passphrase:

Passphrase prompt

If I’ve made any errors in the steps above, please point them out in the comments below or by sending me an email.

You can find this out by running sysctl hw.disknames. It will output something like hw.disknames=wd0:1a8bab44e9cc178d,cd0:,[...]. Just search for the DUID associated with wd0. ↩︎

Comments: To comment on this post, send me an email following the template below. Your email address will not be posted, unless you choose to include it in the link: field. If your web browser is configured to handle mailto: links, click comment to load the template into your mail client.

To: Ryan Kavanagh <rak@rak.ac>
Subject: [blog-comment] /blog/2013-03-26-setting-up-full-disk-encryption-in-openbsd-5.3/

post_id: /blog/2013-03-26-setting-up-full-disk-encryption-in-openbsd-5.3/
author: [How should you be identified? Usually your name or "Anonymous"]
link: [optional link to your website]

Your comments here. Markdown syntax accepted.

6 Comments

Mar 26, 2013 at 19:53

Vadim Zhukov

OpenBSD will automatically pick up swap partition, there is no need for them in fstab. Also, it can be noted that initialization of softraid volume can be done separately, in more friendly than installer’s environment. :)

Mar 28, 2013 at 01:21

Ryan Kavanagh

Hi Vadim, are you sure about that? I reinstalled going from i386 to amd64, and didn’t specify the swap partition, but OpenBSD didn’t automatically pickup the swap partition outside of the softraid.

May 3, 2013 at 20:47

Neal

Nice Post! Would love to follow your blog but for some odd reason the rss feed does not seem to work. Please can you look into that?

May 3, 2013 at 21:01

Sorry, it was an “—” in the HTML source that was screwing up the generated Atom feed; replacing it by a “—” fixed it. Thanks for letting me know! Ryan

May 3, 2013 at 21:07

A “—”, replaced with “—”.

Aug 7, 2013 at 20:54

Baraka

Vadim is right, step 6 is useless if you init swap on real device, in your example, after sd0 init, choose to init wd0, keep partitions and OpenBSD will do the rest.