Extended Brain Storage

OpenBSD: Full Disk Encryption

Posted on September 13, 2016

In order to get rid of systemd on a server, one way may seem to be within the realm of OpenBSD...

Note: The system installation process would be the same for either server or a desktop. Obviously, the 3rd party software will make the difference.


OpenBSD's man pages are notoriously known to be very comprehensive and full of useful information. The full disk encryption (FDE), also known as softraid0 is not an exception.

Important note: Naturally, installation of the FDE carries its obvious burden in relation to the fact that the encryption/decryption key needs to be provided each time the server is restarted. Reader discretion advised!


The installation of OpenBSD (tested with version 6.2) can be interrupted throughout the whole process using the exit command. However, it seems systematic to escape to shell and prepare the root disk environment right at the beginning.

    Welcome to the OpenBSD/i386 X.Y installation program.
    (I)nstall, (U)pgrade, (A)utoinstall or (S)hell?

Choose (S)hell to escape to shell.

Disks Availability

Available disks can be checked using either one of the following commands (or both):

$ dmesg |grep "^[sw]d"
$ sysctl hw.disknames

Device Nodes Creation

Generally, only the first node gets created, i.e. sd0. If necessary, the rest can be created manually:

$ cd /dev
$ for i in 1 2 3; do sh MAKEDEV sd$i; done
$ cd /

Disk Format, Partitioning, Encryption

Disk format is performed using fdisk and WILL DELETE DATA. An MBR table format (-i) of the first SATA disk (sd0), without asking for confirmation (-y), can be achieved running the following command:

$ fdisk -iy sd0

Partitioning is performed using disklabel. In OpenBSD, the swap partition is encrypted by default. There is no need to create an encrypted partition for it. By default, the "normal" (unencrypted) partition is a partition of type 4.2BSD and for encryption, it needs to be changed to RAID. By convention, the a partition is the root partition, and the b partition is the swap partition (more details).

Here's a "quick and dirty" way to make a swap (b) of SWAPSIZE bytes and the rest of the space of the sd0 a RAID partition (a):

$ disklabel -E sd0
a b<ENTER>
a a<ENTER>

The full disk encryption can be activated using bioctl as follows:

$ bioctl -c C -l /dev/sd0a softraid0
softraid0: CRYPTO volume attached as sd2

The CRYPTO volume is now attached as sd2 disk. Naturally, this can vary with target environment.

Installation Continuation

In order to get back to the installation program from the shell, the following needs to be run:

$ exit

Immediately, the installation wizard continues to prompt for further setup details required to finish the installation process:

System hostname? (short form, e.g. 'foo') SERVER-NAME<ENTER>

When the root disk installation query occurs, the CRYPTO volume needs to be provided (sd2 in this case). The idea is to use the whole partition as root partition that is going to include all directories. Therefore, the disk layout will not have separate: /lib, /tmp, /var etc. If required, the (A)uto layout or a different (C)ustom layout option can be used:

Available disks are sd0 sd1 sd2.
Which disk is the root disk? ('?' for details) [sd0] sd2<ENTER>
No valid MBR or GTP.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] <ENTER>
Setting OpenBSD MBR partition to whole sd2...done.
The auto-allocated layout for sd2 is:
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] C<ENTER>
Label editor (enter '?' for help at any prompt)
> a a
offset: [64]<ENTER>
FS type: [4.2BSD]<ENTER>
mount point: [none] /<ENTER>
Rounding size to bsize (32 sectors): THE-ROUNDED-AVAILABLE-SIZE
> w
> q
No label changes.
Which disk do you wish to initialize? (or 'done') [done] <ENTER>

Installation Finalisation

The trickiest part is luckily over. Now, the sets need to be selected (all of them by default). It is good to know that the sets dealing with X are worth installing even for non-graphical application (i.e. a server):

Location of sets? (cd0 disk http or 'done') [cd0] http<ENTER>
HTTP Proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]<ENTER>
HTTP Server? (hostname, list#, 'done' or '?') https://FAVOURITE-MIRROR<ENTER>
Server directory? [pub/OpenBSD/X.Y/amd64] <ENTER>
Location of sets? (cd0 disk http or 'done') [done] <ENTER>

Time zone setup:

What timezone are you in? ('?' for list) [Continent/State] Continent/State<ENTER>
Saving configuration files...done.
Making all device nodes...done.
Multiprocessor machine; using bsd.mp instead of bsd.
Relinking to create unique kernel...done.


The system now needs to be rebooted:

$ reboot

It is recommended to visit the OpenBSD: Post Installation Steps as well as OpenBSD: Packet Filtering.

Tags: #OpenBSD #security #encryption #FDE #rcctl #systemd #MBR

⏴ Previous Post Next Post ⏵