October 31, 2016

OpenBSD: Encrypt /home

Since I need to have a small partition to host linux because of skype and other blobby software, I cannot fully encrypt my drive using softraid. For this, I create a partition as big as possible to host /home in it and I get it encrypted.

As a reference, my partitions and their sizes are as follow (including a sd0b, swap of 8G):

Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 2.9G 1.1G 1.7G 39% /
/dev/sd0d 2.9G 4.0M 2.8G 0% /tmp
/dev/sd0f 9.8G 1.4G 7.9G 15% /usr
/dev/sd0l 486M 201M 261M 44% /usr/X11R6
/dev/sd0g 14.8G 11.3G 2.7G 80% /usr/local
/dev/sd0e 486M 75.3M 387M 16% /var
/dev/sd1a 325G 252G 57.1G 82% /home

As you can see, /home has a different filesystem. In this page I explain step by step how to get any partition encrypted and mounted upon boot (I’ll be using /home for the example).

After the usual installation, first you have to cange the FS type of the partition you want to encript to RAID

# disklabel -E /dev/sd0c
Label editor (enter '?' for help at any prompt)
> m h
offset: [39375296]
size: [460742208]
FS type: [4.2BSD] RAID
> w
> q

Write it over with random data

# umount /home/
# dd if=/dev/random of=/dev/rsd0h bs=4m

Get your passphrase to attach the CRYPTO volume

# bioctl -c C -l /dev/sd0h softraid0

New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sd1

Note that it’s sd1, don’t get confused from now. This is your new volume.

Zero out the first megabyte as well and create a partition “i”:

# dd if=/dev/zero of=/dev/rsd1c bs=1m count=1
1+0 records in
1+0 records out
1048576 bytes transferred in 0.017 secs (59328731 bytes/sec)

# fdisk -iy sd1
Writing MBR at offset 0.

# disklabel -E sd1
Label editor (enter '?' for help at any prompt)
> a a
offset: [64]
size: [460728071]
FS type: [4.2BSD]
Rounding size to bsize (64 sectors): 460728064
> w
> q
No label changes.

Create the new file system

# newfs /dev/rsd1a

Comment out /home, or delete it, from /etc/fstab and then add these bits to /etc/rc.local

for attept in 1 2 3 4; do
bioctl -c C -l df31d27ca420f865.h softraid0 && break
sleep 1
fsck /dev/rsd1a
mount -o nodev,nosuid,softdep cd321eba8d5d7422.a /home

The system will give up after four failed attempts. I got this last piece from Eric Radman. It is a good idea to use the uid format instead of /dev/sd1, because next time you plug in a, say, usb drive, the system might get confused.

You can retrieve the uid of the disk  by running

disklabel sd0a | grep uid

and of the encrypted partition by running

disklabel sd1a | grep uid