Sometimes I can see the future. When someone says, “I’ve encrypted my hard drive!” I have a psychic vision of them saying “I’ve lost all my data!” While encrypting a hard drive partition is warranted in some cases, most of the time, it’s just pretentious. In this section, I will do you the courtesy of assuming that you understand when you truly need disk encryption if you will do me the courtesy of not complaining to me when you lose your data.[25]
OpenBSD includes disk encryption as a bioctl(8)
option—specifically, like a RAID discipline. Where disk activity would normally be passed through a RAID discipline, here they pass through an encryption discipline. The encrypted disk even shows up as a softraid
device. Much like the support for RAID-5, support for encrypted filesystems is experimental. Although it should work, don’t be shocked if some features are not yet included or if it eats your entire disk. Keep good backups. Reread the previous paragraph. And again—please don’t complain to me when it doesn’t work.
Under OpenBSD, an encrypted volume can include only a single partition. Use the RAID type C
to specify an encrypted volume. Here’s, how to create an encrypted volume on the sd4p partition:
# bioctl -c C -l sd4p softraid0 1 New passphrase: Re-type passphrase: softraid0: SR CRYPTO volume attached as sd5
When prompted 1, enter a passphrase twice. A good passphrase is several words long, and includes a mix of characters, symbols, numbers, punctuation, and whitespace. The passphrase is the secret code used to encrypt and decrypt data, so the longer and more varied it is, the better. Remember this passphrase; you must enter it again to recover your data. Once you’ve entered your passphrase twice, bioctl
creates the encrypted disk device. In this case, it has created encrypted disk softraid0
as disk sd5
.
Do not mount this new disk yet! Instead, use fdisk
to check our new, encrypted partition.
# fdisk sd5
Disk: sd5 geometry: 6526/255/63 [104855663 Sectors]
Offset: 0 Signature: 0x8BF9
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
------------------------------------------------------------------------------
0: D9 230285 63 36 - 134263 55 58 [ 3699532529: 2752373385 ] <Unknown ID>
1: 8C 73068 221 44 - 176434 56 49 [ 1173851386: 1660564401 ] <Unknown ID>
2: C9 218148 78 47 - 141866 243 13 [ 3504552580: 3069507328 ] <Unknown ID>
3: AC 125252 6 1 - 245307 77 22 [ 2012173758: 1928688070 ] <Unknown ID>
The underlying disk is blank, and our fdisk
output looks like garbage, but this disk is now an encrypted volume.
Now that the encrypted disk exists, create an MBR partition and add disklabel partitions, just as when you add any other disk. Then you can mount your encrypted device partition using the device node—again, just as with any other disk.
To unmount the decrypted partition, destroy the softraid
device by passing bioctl
the -d
argument.
# bioctl -d sd5
To anyone who doesn’t have the passphrase, this partition now looks like random garbage.
If you have an encrypted partition, presumably you don’t want OpenBSD to automatically decrypt and mount it when the system boots. (The whole point of an encrypted partition is that only a person who has the passphrase can access the encrypted data.) Still, I’m not one to tell you not to shoot yourself in the foot, so if you must automatically decrypt the partition, you can do so.
First, create a file containing your passphrase. Give ownership of this file to root and set the permissions to 600
(read-write by owner; no access by other users), and then give this file to bioctl(8)
with the -p
flag. In this example, the encrypted disk is created as /dev/sd5 and there is a partition on /dev/sd5a. I’ve stored my passphrase in the file /etc/passphrase, so I could run something like this:
# bioctl -c C -l sd4p -p /etc/passphrase softraid0 # mount /dev/sd5a /home/mwlucas
Adding this to /etc/rc.securelevel will mount this encrypted partition at boot.
You should now have a good idea of how to manage OpenBSD disks and filesystems. Next, we’ll look at some of OpenBSD’s special security features.
[21] I don’t know what a dump level of 128m means, other than “not what I want.”
[22] How many users do I mean by “a few?” When synchronizing UIDs across all of your systems begins to really, really annoy you, you no longer have a few users.
[23] You could add a non-RAID partition in the unused space on the larger drive, but that would do terrible things to your system’s performance. Just buy more hard drives, you cheapskate.
[24] If you need to force an error on a hard disk, removing the disk from the machine will certainly do it.
[25] Not that I can help you—all I can do is say “I told you so.” On a related note: You can get tired of anything, no matter how pleasant, if you have to do it often enough.