Softraid Crypto Predrag Punosevac Last Updated: %%mtime(%A %B %d, %Y) %!target: xhtml %!options: --toc --toc-level 2 --css-sugar %!style: t2t.css ---------------------------------------------------------------------- === Introduction === In this brief article we describe the use of softraid kernel driver to encrypt entire Laptop. The only unencrypted parts of a Laptop are peaces of the boot block and RAID 1 matadata. ---------------------------------------------------------------------- === Creating a RAID 1 volume === For the purpose of this presentation it will be assumed that a Laptop has only one HDD which is detected as SCSI HDD ``sd0``. Note that procedure is slightly easier if it is detected as IDE ``wd0`` HDD. ``` CD-ROM: E0 Loading /5.1/AMD64/CDBOOT probing: pc0 com0 mem[639K 126M a20=on] disk: hd0+* cd0 >> OpenBSD/amd64 CDBOOT 3.16 boot> ``` Continue the boot process and select to launch a shell ``` Welcome to the OpenBSD/amd64 5.4 installation program. (I)nstall, (U)pgrade or (S)hell? s ``` One can list the name of selected disks with ``` # sysctl hw.disknames ``` By default OpenBSD create only one ``/dev`` for the first hard drive, we need to create a second: ``` # cd /dev/ # sh MAKEDEV sd1 ``` You will need to properly ``fdisk(1)`` the physical drives (if appropriate for your platform -- make sure you set up the second disk so it is bootable!) and then use disklabel to set up the partitions. The ``fdisk(8)`` steps below will put an MBR on the disk and an OpenBSD partition on the disk. IF you wish to use the entire disk for OpenBSD (i.e., have NOTHING else on the disk), you can do this with a simple one-liner for each drive: ``` # fdisk -iy sd1 Writing MBR at offset 0. ``` Now, we need to create a BSD label named "raid" on our disks. ``` # disklabel -E sd0 Label editor (enter '?' for help at any prompt) > a a offset: [64] size: [20964761] FS type: [4.2BSD] raid > q Write new label?: [y] # disklabel sd0 > protofile ``` Note that since ``softraid(4)`` has to look around a bit to find evidence of arrays it needs to assemble, if your disk has been used for softraid previously, you may find it very helpful to use dd(1) to clear the first megabyte or so from each partition before going any further: # ``` dd if=/dev/zero of=/dev/rsd0a bs=1m count=1 ``` ---------------------------------------------------------------------- === Softraid Crypto === Cryptographic ``softraid(4)`` volumes are set up rather simply: ``` # bioctl -c C -l /dev/sd0a softraid0 New passphrase: My Crypto Pass Phrase Re-type passphrase: My Crypto Pass Phrase softraid0: CRYPTO volume attached as sd1 ``` ---------------------------------------------------------------------- === Installing OpenBSD on created Crypto Volume === Return back to the OpenBSD installer (Ctrl+D), and select this new softraid disk for the destination root disk: ``` # ^D erase ^?, werase ^W, kill ^U, intr ^C, status ^T Welcome to the OpenBSD/amd64 5.1 installation program. (I)nstall, (U)pgrade or (S)hell? i (etc...) Available disks are: sd0 sd1. Which one is the root disk? (or 'done') [sd0] sd1 ``` Once installed, simply reboot and enjoy: ``` >> OpenBSD/amd64 BOOT 3.18 boot> booting sr0a:/bsd: 5648376+1600524+932384+0+616448 [89+497880+322605]=0xd2d0a8 entry point at 0x1001e0 [7205c766, 34000004, 24448b12, ccb8a304] (etc...) sd0 at scsibus2 targ 1 lun 0: SCSI2 0/direct fixed sd0: 10236MB, 512 bytes/sector, 20964233 sectors root on sd0a (f7748118e1f577a4.a) swap on sd0b dump on sd0b Automatic boot in progress: starting file system checks. (etc...) ``` ----------------------------------------------------------------------