OpenBSD laptop with Full Disk Encryption

       706 words, 4 minutes

Running OpenBSD on the laptop makes is safe by default. But encrypting the storage of the OpenBSD laptop makes it even safer. This is how my ThinkPad X230i gets encrypted and won’t boot without the proper USB thumb drive plugged in.

First of all, read the FDE documentation . Then decide whether you’ll go for an MBR (for BIOS booting) or GPT (for UEFI booting) installation, using a passphrase or a keydisk. In my case, I went for GPT using a keydisk.

Then get the installation media done. I used an USB bootable media, prepared on macOS:

# wget

# diskutil unmountDisk /dev/disk2
# dd if=install65.fs of=/dev/rdisk2 bs=1m
# diskutil unmountDisk /dev/disk2

Time to boot from the USB stick. On my ThinkPad X230i, I had to disable Secure Boot. This was a refurbished Windows laptop: go to BIOS, from the [Security] section, set “Secure Boot” to “Disabled”. On boot, hit F12 and select « USB Flash Disk » from the [Boot Menu].

No sure why, but the USB drive plugged in the right USB port (USB 2.0 with charging function) didn’t fully boot. It did on the left USB port (USB 3.0).

Now let OpenBSD 6.5-BETA boot. I’m using a French keyboard. So I start the (I)nstall process, select the “fr” keyboard and hit “^C”. US keyboard users may go straight to a (S)hell.

As explained in the documentation, clean the destination disk, create a GPT and create a single RAID volume:

# dd if=/dev/urandom of=/dev/rsd0c bs=1m
# fdisk -iy -g -b 960 sd0
# disklabel -E sd0
> a a 
offset: [1024]
size: [500117105] *
FS type: [4.2BSD] RAID
> p
#        size  offset  fstype [fsize bsize   cpg]
a:  500117105    1024    RAID
c:  500118192       0  unused
i:        960      64   MSDOS
> w
> q

When done, plug the USB Keydisk in. The kernel should detect it and pop a blue message. Note the device reference. The default install only creates /dev/sd0. So it will be necessary to create a device for the USB Keydisk. Then, as specified in the documentation, erase it and prepare a proper RAID partition:

# cd /dev
# sh MAKEDEV sd2
# dd if=/dev/urandom of=/dev/rsd2c bs=1m
# fdisk -iy sd2
# disklabel -E sd2
> a a
offset: [64]
size: [7855721]: 1M
FS type: [4.2BSD] RAID
> p
#      size  offset  fstype [fsize bsize   cpg]
a:    16001      64    RAID
c:  7858176       0  unused
> w
> q

Now let’s prepare an encrypted disk to later install OpenBSD on:

# bioctl -c C -k sd2a -l sd0a softraid0
sd3 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd3: 244197MB, 512 bytes/sector, 500116577 sectors
softraid0: CRYPTO volume attached as sd3

Let’s sum it up before running the installation. sd0 is the SSD drive. sd1 in the USB installation drive. sd2 is the USB Keydisk. sd3 is the OpenBSD encrypted device.

Exit the shell and run the (I)nstall. During disk selection, remember to enter the proper encrypted device:

Available disks are: sd0 sd1 sd2 sd3.
Which disk is the root disk? ('?' for details) [sd0] sd3
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [gpt] g

I’m not sure whether GPT is required here or if MBR can be used as soon as GPT is configured on sd0.

I like to enable “softdep” on the destination partition before rebooting. This can also be done after the first boot.

# chroot /mnt /bin/sh
# export TERM=vt100
# vi /etc/fstab
(...) ffs rw,softdep,wxallowed (...)
# exit
# reboot

Remove the USB installation thumb drive. Keep the USB Keydisk plugged in. On the first boot, OpenBSD will inform you that :

softraid0: volume sd2 is roaming, it used to be sd3, updating metadata
root on sd2a (...)

From now, sd0 is the SSD drive. sd1 is the USB Keydisk. sd2 is the encrypted volume. Since the OS has booted, the USB Keydisk can be removed and securely stored.

When the system is suspended (zzz), the Keydisk is not required on wake up. When the system hibernates (ZZZ), the Keydisk is required to boot on wake up.

BTW, the Keydisk can be backuped and restored using dd. Check out FAQ-14 . And store the backup in a safe place.