OpenBSD Full Disk Encryption (on VirtualBox)

nabbisen - Dec 14 '22 - - Dev Community

Summary

OpenBSD supports full disk encryption (FDE) with softraid and bioctl. The tutorial for it is officially provided. With FDE, even if you lose your computer, your data is strongly protected (as long as the key is in safety).

It is available on VirtualBox as well as physical servers and VPS servers (such as CloudSigma and ConoHa supporting OpenBSD machine image).

openbsd-boot-under-full-disk-encryption

This post shows how to apply full disk encryption to OpenBSD vm on VirtualBox with each output of the steps and sideline notes about envs of the latter.

Environment

  • OS: OpenBSD 7.2

Caution - All existing data will be deleted

You may have to make backup beforehand.

(Note) Device names

The device names are due to your env. In my case with VirtualBox, wd0 is for the origin and sd0 is for the softraid, the encrypted one. In another case, for example, with VPS, they are sometimes different so that the origin is sd0 and the softraid is sd1. It depends on your hardware, especially the drives such as SATA.

In the following tutorial, how to list devices and choose will be shown.

Table on device names pairs in my past cases

env origin softraid
VirtualBox wd0 sd0
Phisycal or VPS sd0 sd1

Tutorial

It is based on the official tutorial. (See the beginning in this post.)

Run VM with installer media

Have you installed Oracle VM Virtualbox ? Prepared VM to which OpenBSD installer .iso (install72.iso in my case) is attached? Let's run it!

Start shell

When you get the first question:

Welcome to the OpenBSD/amd64 7.2 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?

enter "s" aka Shell.

Then, if you have to adjust keyboard mapping, run. (kbd jp in my case):

# kbd %your-locale%
Enter fullscreen mode Exit fullscreen mode

The output in my case was:

kbd: keyboard mapping set to jp
Enter fullscreen mode Exit fullscreen mode

Choose the device to be encrypted

First of all, choose which one is to be encrypted. You can list the devices with the command line below:

# sysctl hw.disknames
Enter fullscreen mode Exit fullscreen mode

The output was:

hw.disknames=wd0:(...),cd0:,cd1:,rd0:(...)
Enter fullscreen mode Exit fullscreen mode

Make sure the origin disk exists

Again, this tutorial uses wd0 for the origin.

# cd /dev

# sh MAKEDEV wd0
Enter fullscreen mode Exit fullscreen mode

(Optional but recommended) Write random data to disk

We are now at the first step to manipulate the disk.

This process is not absolutely necessary, which, however, helps the machine hide the actual volume used.
It is possibly very time-consuming, which depends on the disk size.

Remember it sometimes has a negative side on VPS and so. It consumes the whole volume and therefore the size of snapshot image can be very big.

# dd if=/dev/urandom of=/dev/rwd0c bs=1m
Enter fullscreen mode Exit fullscreen mode

The output was:

dd: rwd0c: end of device
7169+0 records in
7168+0 records out
7516192768 bytes transferred in 57.711 secs (130236923 bytes/sec)
Enter fullscreen mode Exit fullscreen mode

Besides, although expected may be only a limited effect, it is possible to write random data partially with adding count option. The below is an example to limit it to 2 GB:

- dd if=/dev/urandom of=/dev/rwd0c bs=1m
+ dd if=/dev/urandom of=/dev/rwd0c bs=1m count=2048
Enter fullscreen mode Exit fullscreen mode

Initialize the disk

In case that MBR is used at boot:

# fdisk -iy wd0
Enter fullscreen mode Exit fullscreen mode

The output was:

Writing MBR at offset 0.
Enter fullscreen mode Exit fullscreen mode

Well, in case that GPT for UEFI booting is used, you should run fdisk -gy -b 960 wd0 instead.

Create the softraid partition

Run:

# disklabel -E wd0
Enter fullscreen mode Exit fullscreen mode

Then, inside it, operate as follows:

Label editor (enter '?' for help at any prompt)
wd0> a a
offset: [64]
size: [14680000] *
FS type: [4.2BSD] RAID
wd0*> w
wd0> q
No label changes.
Enter fullscreen mode Exit fullscreen mode

Besides, although the entire disk is used, the installer can split it into multiple partitions with the encrypted one later.

Build the encrypted device

Here comes bioctl.

# bioctl -c C -l wd0a softraid0
Enter fullscreen mode Exit fullscreen mode

The prompt will ask as below. It will be required at boot:

New passphrase:
Re-type passphrase:
Enter fullscreen mode Exit fullscreen mode

The output was:

sd0 at scsibus1 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
sd0: 7167MB, 512 bytes/sector, 14679472 sectors
softraid0: CRYPTO volume attached as sd0
Enter fullscreen mode Exit fullscreen mode

You can see sd0 was got as CRYPTO volume !!

Besides, a keydisk is available instead of passphrase.

Make sure the CRYPTO device exists

# cd /dev

# sh MAKEDEV sd0
Enter fullscreen mode Exit fullscreen mode

Thanks to them, all data written to it will be "encrypted with AES in XTS mode".

Overwrite the first megabyte of the new pseudo-device

This is the final step of the first and the main chapter. Run:

# dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
Enter fullscreen mode Exit fullscreen mode

The output was:

1+0 records in
1+0 records out
1048576 bytes transferred in 0.016 secs (64883162 bytes/sec)
Enter fullscreen mode Exit fullscreen mode

Return to the installer

Now the disk is ready.

Type to say goodbye to the shell:

# exit
Enter fullscreen mode Exit fullscreen mode

You will see the welcome messages from the installer, again.

installer-after-encryption

Choose the encrypted volume in installation

The rest is to choose the encrypted volume when you are asked where to install the OS.

choose-encrypted-volume

Remember sd0 is my encrypted one. (Of course, in case that your encrypted one is sd1, choose sd1.)

Except it, you can operate as usual in installation.

Conclusion

Installation is completed

Congratulations 🎉🎉🎉

You got your encrypted disk where OpenBSD is installed.

installation-is-completed

Prompt for passphrase at boot

At next boot, your security will work like a charm.

prompt-for-passphrase-under-full-disk-encryption

With the correct passphrase (or the keydisk), you will be accepted, and the machine will nicely stand by you.

booted

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .