Pages

21 November 2013

OpenBSD 5.4 Full Disk Encryption Installation

The OpenBSD team made full disk encryption during installation easy as apple pie.  Follow the video below.


Description of Video Steps


1. Boot the install CD.  This might be the easiest step
2. Initialize the disk with fdisk -i wd0, which assumes you are using wd0 as your main disk.
3. Add OpenBSD disk label with disklabel -E wd0.
4. Ensure FS Type is set to RAID.
5. We'll create the encrypted volume with bioctl -c C -l /dev/wd0a softraid0 using partition a which is set to RAID and of course we'll enter a strong password when prompted.
6. The softraid volume is assigned its own name sd0 which will be used later.
7. Exit shell to return to the installer.
8. Now enter the softraid volume name sd0 in the root disk question field.

Install Using Desired Settings


9. Eject the CD after set installation and reboot.
10. Enter your secure passphrase from step 5.

Post Install Validation Steps


Let's look at our handiwork and ensure things look well.

11. A close examination reveals the swap is located on the softraid sd0b volume.  This means that the swap is encrypted twice which can be remedied but hasn't been so for this demo.  OpenBSD handles the swap private key.  You can do the install by moving the swap out of the softraid volume or by turning swap encryption off via sysctl which would leave the swap volume encrypted with the same passphrase as the entire softraid volume.

12. Good news! We are using the softraid volume sd0 for everything.

13. A little peek shows different major and minor numbers between the softraid volume sd0 and the physical drive wd0.

14. Now we'll use the install CD to see if we are really encrypted.

15. Note that wd0c has the boot code.  Most of it is binary but you can see the string data such as "...floppy or old BIOS..." and other text.

16. If you press spacebar and scroll for some time, you will find the encrypted block and no hint at all of your OpenBSD data in plaintext.

For the sake of a speedy demo, all default options were taken unless noted above.  Enjoy.


Enhanced by Zemanta

1 comment: