Openbsd Post Install Home Encryption

I will show you some steps to encrypt home directory after installation of Openbsd 6.3.

I used the default installation for this tutorial, please take in mind that default installation is not the best option .

* Unmount /home directory *

dalmine# umount /home
dalmine# df -h /home
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 1005M 139M 816M 15% /
dalmine#

* Check our disk layout *

Now we need to check our disk layout in order to change the home type fs to RAID


dalmine# disklabel /dev/wd0c
# /dev/wd0c:
type: ESDI
disk: ESDI/IDE disk
label: KINGSTON SV300S3
duid: 9ba067d2173d5a31
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 116301
total sectors: 117231408
boundstart: 1024
boundend: 117231345
drivedata: 0

16 partitions:
# size offset fstype [fsize bsize cpg]
a: 2097152 1024 4.2BSD 2048 16384 12958 # /
b: 8641640 2098176 swap # none
c: 117231408 0 unused
d: 8291456 10739840 4.2BSD 2048 16384 12958 # /tmp
e: 13238144 19031296 4.2BSD 2048 16384 12958 # /var
f: 4194304 32269440 4.2BSD 2048 16384 12958 # /usr
g: 2097152 36463744 4.2BSD 2048 16384 12958 # /usr/X11R6
h: 17182912 38560896 4.2BSD 2048 16384 12958 # /usr/local
i: 960 64 MSDOS
j: 4194304 55743808 4.2BSD 2048 16384 12958 # /usr/src
k: 10314304 59938112 4.2BSD 2048 16384 12958 # /usr/obj
l: 46978912 70252416 4.2BSD 2048 16384 12958 # /home
dalmine#

The disk wd0c means that you will find for the entire disk, so then we need to check the home directory partition, in this case is l.

dalmine# disklabel -E /dev/wd0c
Label editor (enter '?' for help at any prompt)
> p
OpenBSD area: 1024-117231345; size: 117230321; free: 41
# size offset fstype [fsize bsize cpg]
a: 2097152 1024 4.2BSD 2048 16384 12958 # /
b: 8641640 2098176 swap # none
c: 117231408 0 unused
d: 8291456 10739840 4.2BSD 2048 16384 12958 # /tmp
e: 13238144 19031296 4.2BSD 2048 16384 12958 # /var
f: 4194304 32269440 4.2BSD 2048 16384 12958 # /usr
g: 2097152 36463744 4.2BSD 2048 16384 12958 # /usr/X11R6
h: 17182912 38560896 4.2BSD 2048 16384 12958 # /usr/local
i: 960 64 MSDOS
j: 4194304 55743808 4.2BSD 2048 16384 12958 # /usr/src
k: 10314304 59938112 4.2BSD 2048 16384 12958 # /usr/obj
l: 46978912 70252416 4.2BSD 2048 16384 12958 # /home
> m

partition to modify: [] l


offset: [70252416]


size: [46978912]


FS type: [4.2BSD] RAID


> w


> q

No label changes.
dalmine#
dalmine# disklabel /dev/wd0c
# /dev/wd0c:
type: ESDI
disk: ESDI/IDE disk
label: KINGSTON SV300S3
duid: 9ba067d2173d5a31
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 116301
total sectors: 117231408
boundstart: 1024
boundend: 117231345
drivedata: 0

16 partitions:
# size offset fstype [fsize bsize cpg]
a: 2097152 1024 4.2BSD 2048 16384 12958 # /
b: 8641640 2098176 swap # none
c: 117231408 0 unused
d: 8291456 10739840 4.2BSD 2048 16384 12958 # /tmp
e: 13238144 19031296 4.2BSD 2048 16384 12958 # /var
f: 4194304 32269440 4.2BSD 2048 16384 12958 # /usr
g: 2097152 36463744 4.2BSD 2048 16384 12958 # /usr/X11R6
h: 17182912 38560896 4.2BSD 2048 16384 12958 # /usr/local
i: 960 64 MSDOS
j: 4194304 55743808 4.2BSD 2048 16384 12958 # /usr/src
k: 10314304 59938112 4.2BSD 2048 16384 12958 # /usr/obj
l: 46978912 70252416 RAID # /home
dalmine#

Now the home is in RAID device so we need to start the encryption process.

* Lets start the encryption process *

Now we need to write some random data and then create encryption . Remember now will use rwd0l because I have disk in wdxx if you have another kind of disk maybe you will have sdxx.

dalmine# dd if=/dev/random of=/dev/rwd0l bs=4m

^C681+0 records in
680+0 records out
2852126720 bytes transferred in 55.752 secs (51157096 bytes/sec)
dalmine#

Wait some minutes then try control + C.


dalmine# bioctl -c C -l /dev/wd0l softraid0
New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sd0
dalmine#

You have now the disk with passphrase and you will use the new device sd0 in my case. Now we need to create the partition for this new device but first write some zeros to remove old data.

dalmine# dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
1+0 records in
1+0 records out
1048576 bytes transferred in 0.039 secs (26516426 bytes/sec)
dalmine#

Write table info


dalmine# fdisk -iy sd0
Writing MBR at offset 0.
dalmine#

Now write partition

dalmine# disklabel sd0
# /dev/rsd0c:
type: SCSI
disk: SCSI disk
label: SR CRYPTO
duid: 0000000000000000
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 2924
total sectors: 46978384
boundstart: 64
boundend: 46974060
drivedata: 0

16 partitions:
# size offset fstype [fsize bsize cpg]
c: 46978384 0 unused
dalmine#
dalmine# disklabel -E sd0
Label editor (enter ‘?’ for help at any prompt)
> a
partition: [a]
offset: [64]
size: [46973996]
FS type: [4.2BSD]
Rounding size to bsize (32 sectors): 46973984
> w
> q
No label changes.
dalmine#

And now create filesystem.

dalmine# newfs /dev/rsd0a
/dev/rsd0a: 22936.5MB in 46973984 sectors of 512 bytes
114 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
super-block backups (for fsck -b #) at:
32, 414688, 829344, 1244000, 1658656, 2073312, 2487968, 2902624, 3317280, 3731936, 4146592, 4561248, 4975904, 5390560, 5805216, 6219872, 6634528, 7049184, 7463840, 7878496, 8293152, 8707808,
9122464, 9537120, 9951776, 10366432, 10781088, 11195744, 11610400, 12025056, 12439712, 12854368, 13269024, 13683680, 14098336, 14512992, 14927648, 15342304, 15756960, 16171616, 16586272, 17000928,
17415584, 17830240, 18244896, 18659552, 19074208, 19488864, 19903520, 20318176, 20732832, 21147488, 21562144, 21976800, 22391456, 22806112, 23220768, 23635424, 24050080, 24464736, 24879392,
25294048, 25708704, 26123360, 26538016, 26952672, 27367328, 27781984, 28196640, 28611296, 29025952, 29440608, 29855264, 30269920, 30684576, 31099232, 31513888, 31928544, 32343200, 32757856,
33172512, 33587168, 34001824, 34416480, 34831136, 35245792, 35660448, 36075104, 36489760, 36904416, 37319072, 37733728, 38148384, 38563040, 38977696, 39392352, 39807008, 40221664, 40636320,
41050976, 41465632, 41880288, 42294944, 42709600, 43124256, 43538912, 43953568, 44368224, 44782880, 45197536, 45612192, 46026848, 46441504, 46856160,
dalmine#

 

We need now to change the fstab info so first lets try to check the uuid of block device and raw device to create a script to ask for passphrase.

dalmine# disklabel wd0a | grep uid
duid: 9ba067d2173d5a31
dalmine# disklabel sd0a | grep uid
duid: f4290a11cad7a825
dalmine#

The first one is for block device and the second one is for mount device.

dalmine# cat /etc/fstab |grep -i home
f4290a11cad7a825.a /home ffs rw,nodev,nosuid 1 2
#9ba067d2173d5a31.l /home ffs rw,nodev,nosuid 1 2
dalmine#

We can test it

dalmine# mount /home
dalmine# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 1005M 139M 816M 15% /
/dev/wd0d 3.9G 10.0K 3.7G 0% /tmp
/dev/wd0f 2.0G 694M 1.2G 36% /usr
/dev/wd0g 1005M 178M 777M 19% /usr/X11R6
/dev/wd0h 8.1G 1.9G 5.8G 25% /usr/local
/dev/wd0k 4.8G 2.0K 4.6G 0% /usr/obj
/dev/wd0j 2.0G 2.0K 1.9G 0% /usr/src
/dev/wd0e 6.2G 13.4M 5.9G 0% /var
/dev/sd0a 22.0G 2.0K 20.9G 0% /home
dalmine#

Then comment again the home line.

dalmine# umount /home
dalmine# vi /etc/fstab
dalmine# cat /etc/fstab
9ba067d2173d5a31.b none swap sw
9ba067d2173d5a31.a / ffs rw 1 1
#f4290a11cad7a825.a /home ffs rw,nodev,nosuid 1 2
#9ba067d2173d5a31.l /home ffs rw,nodev,nosuid 1 2
9ba067d2173d5a31.d /tmp ffs rw,nodev,nosuid 1 2
9ba067d2173d5a31.f /usr ffs rw,nodev 1 2
9ba067d2173d5a31.g /usr/X11R6 ffs rw,nodev 1 2
9ba067d2173d5a31.h /usr/local ffs rw,wxallowed,nodev 1 2
9ba067d2173d5a31.k /usr/obj ffs rw,nodev,nosuid 1 2
9ba067d2173d5a31.j /usr/src ffs rw,nodev,nosuid 1 2
ba067d2173d5a31.e /var ffs rw,nodev,nosuid 1 2
dalmine#
dalmine# bioctl -d /dev/sd0c
sd0 detached
dalmine#

And now we can create a rc.local script to add logic to auto mount the home.

dalmine# cat /etc/rc.local
for attept in 1 2 3 4; do
bioctl -c C -l 9ba067d2173d5a31.l softraid0 && break
sleep 1
done
fsck /dev/rsd0a
ount -o nodev,nosuid,softdep f4290a11cad7a825.a /home
dalmine#

Now run the script.


dalmine# /etc/rc.local
Passphrase:
softraid0: CRYPTO volume attached as sd0
** /dev/rsd0a
** File system is clean; not checking
dalmine# df -h /home
Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 22.0G 2.0K 20.9G 0% /home
dalmine#
sd0 at scsibus2 targ 1 lun 0: SCSI2 0/direct fixed
sd0: 22938MB, 512 bytes/sector, 46978384 sectors

 
Now next boot will ask passphrase before continue the boot process.
Links:
How to encrypt

Leave a Reply