Tags: #OpenBSD #security #encryption #FDE #rcctl #systemd #MBR
OpenBSD: Full Disk Encryption
In order to get rid of systemd on a server, one way may seem to be within the realm of OpenBSD…
Note: The system installation process would be the same for either server or a desktop. Obviously, the 3rd party software will make the difference.
Introduction
OpenBSD’s man pages are notoriously known to be very comprehensive and full of useful information. The full disk encryption (FDE), also known as softraid0 is not an exception.
Important note: Naturally, installation of the FDE carries its obvious burden in relation to the fact that the encryption/decryption key needs to be provided each time the server is restarted. Reader discretion advised!
Installation
The installation of OpenBSD (tested with version 6.2) can be interrupted throughout the whole process using the exit
command. However, it seems systematic to escape to shell and prepare the root disk environment right at the beginning.
Welcome to the OpenBSD/i386 X.Y installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?
Choose (S)hell
to escape to shell.
Disks Availability
Available disks can be checked using either one of the following commands (or both):
$ dmesg |grep "^[sw]d"
$ sysctl hw.disknames
Device Nodes Creation
Generally, only the first node gets created, i.e. sd0
. If necessary, the rest can be created manually:
$ cd /dev
$ for i in 1 2 3; do sh MAKEDEV sd$i; done
$ cd /
Disk Format, Partitioning, Encryption
Disk format is performed using fdisk
and WILL DELETE DATA. An MBR table format (-i
) of the first SATA disk (sd0
), without asking for confirmation (-y
), can be achieved running the following command:
$ fdisk -iy sd0
Partitioning is performed using disklabel
. In OpenBSD, the swap partition is encrypted by default. There is no need to create an encrypted partition for it. By default, the “normal” (unencrypted) partition is a partition of type 4.2BSD
and for encryption, it needs to be changed to RAID
. By convention, the a
partition is the root partition, and the b
partition is the swap partition (more details).
Here’s a “quick and dirty” way to make a swap (b
) of SWAPSIZE
bytes and the rest of the space of the sd0
a RAID partition (a
):
$ disklabel -E sd0
a b<ENTER>
<ENTER>
SWAPSIZEb<ENTER>
swap<ENTER>
a a<ENTER>
<ENTER>
<ENTER>
RAID<ENTER>
w
q
The full disk encryption can be activated using bioctl
as follows:
$ bioctl -c C -l /dev/sd0a softraid0
...
softraid0: CRYPTO volume attached as sd2
The CRYPTO volume
is now attached as sd2
disk. Naturally, this can vary with target environment.
Installation Continuation
In order to get back to the installation program from the shell, the following needs to be run:
$ exit
Immediately, the installation wizard continues to prompt for further setup details required to finish the installation process:
System hostname? (short form, e.g. 'foo') SERVER-NAME<ENTER>
...
When the root disk
installation query occurs, the CRYPTO volume
needs to be provided (sd2
in this case). The idea is to use the whole partition as root partition that is going to include all directories. Therefore, the disk layout will not have separate: /lib
, /tmp
, /var
etc. If required, the (A)uto layout
or a different (C)ustom layout
option can be used:
Available disks are sd0 sd1 sd2.
Which disk is the root disk? ('?' for details) [sd0] sd2<ENTER>
No valid MBR or GTP.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] <ENTER>
Setting OpenBSD MBR partition to whole sd2...done.
The auto-allocated layout for sd2 is:
...
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] C<ENTER>
Label editor (enter '?' for help at any prompt)
> a a
offset: [64]<ENTER>
size: [THE-MAX-PARTITION-SIZE]<ENTER>
FS type: [4.2BSD]<ENTER>
mount point: [none] /<ENTER>
Rounding size to bsize (32 sectors): THE-ROUNDED-AVAILABLE-SIZE
> w
> q
No label changes.
...
Which disk do you wish to initialize? (or 'done') [done] <ENTER>
...
Installation Finalisation
The trickiest part is luckily over. Now, the sets need to be selected (all of them by default). It is good to know that the sets dealing with X
are worth installing even for non-graphical application (i.e. a server):
Location of sets? (cd0 disk http or 'done') [cd0] http<ENTER>
HTTP Proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]<ENTER>
HTTP Server? (hostname, list#, 'done' or '?') https://FAVOURITE-MIRROR<ENTER>
Server directory? [pub/OpenBSD/X.Y/amd64] <ENTER>
...
Location of sets? (cd0 disk http or 'done') [done] <ENTER>
Time zone setup:
What timezone are you in? ('?' for list) [Continent/State] Continent/State<ENTER>
Saving configuration files...done.
Making all device nodes...done.
Multiprocessor machine; using bsd.mp instead of bsd.
Relinking to create unique kernel...done.
Congratulations
The system now needs to be rebooted:
$ reboot
It is recommended to visit the OpenBSD: Post Installation Steps as well as OpenBSD: Packet Filtering.