OpenBSD - Full Disk Encryption

Page content

Intro

I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines. And there, we have FileVault which basically does the same. However, i’d like to give a try with a Test VM. There are plenty of instructions how to setup up, i just tried one and made some notes as usual.

Boot Encrypted Device with FDE

Powerup new Machine

  • boot openbsd cd / iso / bsd.rd
  • s for shell

find the Disk Device

dmesg | grep "^[sw]d"ENTER
wd0 at scsibus0 targ 0 lun 0: <VirtIO, Block Device, >

-> wd0

Make Devices

cd /dev && sh MAKEDEV wd0

Optional wipe whole device

dd if=/dev/urandom of=/dev/rwd0c bs=1m

write MBR to Disk with fdisk

fdisk -iy wd0

Partition Layout, allocate all Diskspace

disklabel -E wd0
a a

*
RAID
w
q

Build encrypted device softraid0 with the wd0a partition

bioctl -c C -l wd0a softraid0
YOURPASSPHRASE
YOURPASSPHRASE

create pseudo device file sd0

and clear the first MB for MBR later

cd /dev && sh MAKEDEV sd0
dd if=/dev/zero of=/dev/rsd0c bs=1m count=1

back to Installer

exit
install

and proceed with the Installation as ususal

sd0 is your root Disk ! and not the wd0 which is proposed by the Installer ;)

-> no valid MBR or GPT -> proceed
whole Disk
Auto or Custom Layout

w write
x exit

cd0
-x*
xb*

yes

Layout after Installation

root@fde-openbsd # df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      3.9G    404M    3.3G    11%    /
/dev/sd0g      7.7G   14.0K    7.3G     0%    /home
/dev/sd0d      1.9G   10.0K    1.8G     0%    /tmp
/dev/sd0f      7.8G    2.2G    5.2G    30%    /usr
/dev/sd0e      7.8G   29.7M    7.3G     0%    /var

Dmesg

root@fde-openbsd # dmesg |grep -E "^.d0"
wd0 at pciide0 channel 0 drive 0: <VMware Virtual IDE Hard Drive>
wd0: 64-sector PIO, LBA, 32768MB, 67108864 sectors
sd0 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
sd0: 32767MB, 512 bytes/sector, 67108272 sectors

wd0: physical Disk sd0: encrypted, logical Disk

Change Passphrase

sha256: ae070d68235861b759aacf4a0390b35e20fa977caf703e43d2599cbcc0a30e02