October 31, 2016

OpenBSD: Encrypt /home

Since I need to have a small partition to host linux because of skype and other blobby software, I cannot fully encrypt my drive using softraid. For this, I create a partition as big as possible to host /home in it and I get it encrypted.

As a reference, my partitions and their sizes are as follow (including a sd0b, swap of 8G):

Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      2.9G    1.2G    1.6G    42%    /
/dev/sd0d      2.9G   79.3M    2.7G     3%    /tmp
/dev/sd0f      9.8G    1.9G    7.5G    20%    /usr
/dev/sd0l      486M    262M    200M    57%    /usr/X11R6
/dev/sd0g     14.8G   13.2G    869M    94%    /usr/local
/dev/sd0e      486M   92.0M    370M    20%    /var
/dev/sd1a      325G    272G   36.3G    88%    /home

As you can see, /home has a different filesystem. In this page I explain step by step how to get any partition encrypted and mounted upon boot (I’ll be using /home for the example).

After the usual installation, first you have to cange the FS type of the partition you want to encript to RAID

# disklabel -E /dev/sd0c
Label editor (enter '?' for help at any prompt)
> m h
offset: [39375296]
size: [460742208]
FS type: [4.2BSD] RAID
> w
> q

Write it over with random data

# umount /home/
# dd if=/dev/random of=/dev/rsd0h bs=4m

Get your passphrase to attach the CRYPTO volume

# bioctl -c C -l /dev/sd0h softraid0

New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sd1

Note that it’s sd1, don’t get confused from now. This is your new volume.

Zero out the first megabyte as well and create a partition “i”:

# dd if=/dev/zero of=/dev/rsd1c bs=1m count=1
1+0 records in
1+0 records out
1048576 bytes transferred in 0.017 secs (59328731 bytes/sec)
# fdisk -iy sd1
Writing MBR at offset 0.
# disklabel -E sd1
Label editor (enter '?' for help at any prompt)
> a a
offset: [64]
size: [460728071]
FS type: [4.2BSD]
Rounding size to bsize (64 sectors): 460728064
> w
> q
No label changes.

Create the new file system

# newfs /dev/rsd1a

Comment out /home, or delete it, from /etc/fstab and then add these bits to /etc/rc.local

for attept in 1 2 3 4; do
bioctl -c C -l df31d27ca420f865.h softraid0 && break
sleep 1
done
/usr/games/fortune -o
sleep 3
fsck /dev/rsd1a
mount -o nodev,nosuid,softdep cd321eba8d5d7422.a /home

The system will give up after four failed attempts. I got this last piece from Eric Radman. It is a good idea to use the uid format instead of /dev/sd1, because next time you plug in a, say, usb drive, the system might get confused. The line with fortune -o is to make your day more interesting.

You can retrieve the uid of the disk  by running

disklabel sd0a | grep uid

and of the encrypted partition by running

disklabel sd1a | grep uid