OpenBSD disk encryption

Floor Terra - 2011-12-05 13:55:00
laptops are easy to lose or steal and you don't want any potentially sensitive data to be stolen too. For that purpose many companies now require disk encryption. The OpenBSD softraid CRYPTO discipline has grown to be a mature piece of software and since I was long due for a fresh OpenBSD installation anyway I decided to give it a try.

Let's start with the goals:

  • No user files should be recoverable when the laptop gets lost or stolen without knowledge of my passphrase.
  • The boot and upgrade process should be as simple as possible.
What I'm not trying to do:
  • Provide plausible deniability: The largest disk slice is a softraid CRYPTO volume and the system asks for a passphrase on bootup. The use of encryption is obvious.
  • Provide a secure system after other people have had physical access: The disk contains a small unencrypted part used for booting. With physical access you can easily modify the boot process to record the passphrase for example.
My primary source for this procedure was this blogpost: http://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption

Start by booting into bsd.rd and open a shell. Like in the blogpost, create a disk layout like this:
$ sudo disklabel -h wd0
# /dev/rwd0c:
type: ESDI
disk: ESDI/IDE disk
label: ST980811AS
duid: 1898f5c8938a0ebf
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 9729
total sectors: 156301488 # total bytes: 74.5G
boundstart: 64
boundend: 156296385
drivedata: 0

16 partitions:
# size offset fstype [fsize bsize cpg]
a: 1.0G 64 4.2BSD 2048 16384 1 # /
b: 2.2G 2104512 swap # none
c: 74.5G 0 unused
d: 71.3G 6715170 RAID 



The RAID partition will hold all the encrypted data.
Now you have to tell the system to use the RAID partition:
bioctl -c C -r 8192 -l /dev/wd0d softraid0
This will prompt for a passphrase. Choose wisely: too long and you might forget it, too short and it might be guessed by an attacker. Now start the install and continue normally until you need to setup the disks.
The first disk you need is the disk you boot from. Use the whole disk and layout you created earlier. Next continue with your newly attached softraid volume. My softraid disk looks like this:
$ sudo disklabel -h sd2
# /dev/rsd2c:
type: SCSI
disk: SCSI disk
label: SR CRYPTO
duid: 96ce005d1a254d38
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 9310
total sectors: 149580687 # total bytes: 73037.4M
boundstart: 64
boundend: 149565150
drivedata: 0

16 partitions:
# size offset fstype [fsize bsize cpg]
a: 4102.5M 64 4.2BSD 2048 16384 1 # /tmp
b: 2047.3M 8401984 4.2BSD 2048 16384 1 # /usr
c: 73037.4M 0 unused
d: 1019.8M 12594944 4.2BSD 2048 16384 1 # /usr/X11R6
e: 10236.7M 14683392 4.2BSD 2048 16384 1 # /usr/local
f: 2047.3M 35648224 4.2BSD 2048 16384 1 # /usr/obj
g: 2047.3M 39841184 4.2BSD 2048 16384 1 # /usr/src
h: 45386.8M 56613056 4.2BSD 2048 16384 1 # /home
i: 6142.0M 44034144 4.2BSD 2048 16384 1 # /var





Finish your installation as you'd normally would and reboot.
Upon rebooting you will be greeted by messages urging you to run fsck, don't do this and just press enter for a shell. Now you have to bring your softraid partition online: bioctl -c C -l /dev/wd0d softraid0 && exit. Enter your passphrase and the system will boot normally.

Doing this on every boot is annoying. So after you booted open /etc/rc and put the line bioctl -c C -l /dev/wd0d softraid0 just before the part where it checks the disks (line 278 in my version). When you reboot it should ask you for a passphrase automatically.