Tags: #OpenBSD #security #encryption #FDE #RAID
OpenBSD: RAID1 (Mirror) with Full Disk Encryption
This is a theoretical approach to install OpenBSD server on two physical disks in software RAID1 (mirror) having the logical (root) partition encrypted aka full disk encryption (FDE). Unfortunately, this approach is not supported as yet…
The Idea
With limited resources (money), having a hardware RAID may not seem to be an option. Beside money, there are also other issues with HW RAID solutions such as incompatibility among different vendors, even among the same vendor and same cards, but with different firmwares, etc. Therefore, a software RAID seems to be an option here. OpenBSD supports both HW and SW RAID (HW compatibility needs to be verified though!)
Risk of theft of physical disks may not be low, when considering the destination HW to be a laptop (just an example). Therefore, full disk encryption (FDE) seems to be the right choice. OpenBSD supports the FDE.
Combination of both; however, has been a no go ever since. Stefan Sperling confirms that, quote:
Disciplines cannot be nested yet! So no CRYPTO on top of RAID 1, for instance.
A Brief Draft to Accomplish “The Idea”
A briefly commented step-by-step approach to install OpenBSD (tested with version 6.0) in VirtualBox.
Welcome to the OpenBSD/i386 X.Y installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?
Choose (S)hell
to escape to shell.
Creating Device Nodes
Generally, only the first node is created, i.e. sd0
. The rest needs to be created manually:
$ cd /dev
$ for i in 1 2 3; do sh MAKEDEV sd$i; done
$ cd /
Creating a RAID 1 Volume
First, delete the disks (will damage data), create an MBR on both disks, and create a RAID partition on both disks using the disklabel
tool. Eventually, use bioctl
to set up the RAID 1 policy. Again, delete the first MB of data to make sure the OS will read it properly:
$ dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
$ dd if=/dev/zero of=/dev/rsd1c bs=1m count=1
$ fdisk -iy sd0
$ fdisk -iy sd1
$ echo -n "z\na\n\n\n\nRAID\nw\nq\n" | disklabel -E sd0
$ disklabel sd0 > layout && disklabel -R sd1 layout && rm layout
$ bioctl -c 1 -l sd0a,sd1a softraid0
$ dd if=/dev/zero of=/dev/rsd2c bs=1m count=1
Create a SWAP and a Crypto Partitions
First, create an MBR (-i
) on the logical (RAID) disk. Set up the first (b
) partition as SWAP (e.g. 2GB large), and the second (a
) as RAID (the disk remainder). Initialize the latter one with bioctl
again (notice the -c
value to be C
, which represents an encrypting discipline.) Configure an appropriate password. Eventually, reset the new logical (and encrypted) partition, set it up as MBR (-i
), create a single large partition (a
) and format it accordingly using the newfs
command.
$ fdisk -iy sd2
$ echo -n "z\na b\n\n2G\n\na a\n\n\nRAID\nw\nq\n" | disklabel -E sd2
$ bioctl -c C -r 987654 -l sd2a softraid0
$ dd if=/dev/zero of=/dev/rsd3c bs=1m count=1
$ fdisk -iy sd3
$ echo -n "z\na\n\n\n\n\nw\nq\n" | disklabel -E sd3
$ newfs sd3a
Install the System
The installation process is pretty much straightforward, execute the following command and follow the questions/instructions accordingly:
$ install
Select sd3
, when asked for a root disk
:
Available disks are sd0 sd1 sd2 sd3.
Which disk is the root disk? ('?' for details) [sd0]
The Error
The above process ends up with the following error, only to confirm Stefan Sperling’s words.
installboot: invalid boot record signature (0x0000) @ sector 0
Failed to install bootblocks.
You will not be able to boot OpenBSD from sd3
Note
Hopefully, the OpenBSD developers can make this possible soon. I wish I could have helped them. I am no developer though…
Feedback
I received the following feedback from Yary Hluchan. It is not working for me though. Anyway, cheers mate! :-)
It can be fixed by issuing “
cd /dev; sh MAKEDEV sd2
” after making the RAID – that is, after runningbioctl
. In your case, you would also run it again after makingsd3
. It adds the/dev/rsd*
devices – even though thesd*
devices may already be in/dev
.
From what I read, you can layer, I recall seeing a recipe for a soft
RAID10
in OpenBSD. Not sure if layering would work for a boot volume.