We recently went looking for a method of installing OpenBSD with full disk encryption that would work with a serial console, because that is what we provide to our VPS customers. We already provided instructions for installing OpenBSD on our VPSes and installing OpenBSD with full disk encryption is itself well-documented. Unfortunately, when we tried the standard procedures, we did not get a passphrase prompt from the bootloader when booting the fresh installation. There appears to be no obvious way to boot from an OpenBSD softraid – such as an encrypted disk – and have it use the serial console. Here is a description of how we kludged it. Some familiarity with OpenBSD terminology is expected.
We make two OpenBSD slices. One contains a tiny filesystem with a bootloader
configuration file, and the other contains the encrypted part of the disk.
At boot, the OpenBSD bootloader looks for
/etc/boot.conf in the first slice,
sd0a. That file contains 3 instructions: set serial baud rate, use a
serial console, and set the real boot device. The bootloader then boots
from the real encrypted boot device, with output going to the serial console.
A Tutorial Explanation
First, boot the OpenBSD installer, but select the shell option at the
prompt, rather than the install option. We are going to need to do some
pre-configuration before performing an install. Note that any line starting
# is a shell prompt, and others are output.
Welcome to the OpenBSD/amd64 6.6 installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s
First, we’ll make the devices that we will need for the hard disk and
the softraid. We’ll rewrite the master boot record for the
hard disk with
# cd /dev # sh MAKEDEV sd0 sd1 # fdisk -iy sd0 Writing MBR at offset 0.
We can optionally overwrite the disk with random data to hide which part of the disk has been written to:
# dd if=/dev/urandom of=/dev/rsd0c bs=1M
disklabel, we will make two slices on the raw disk. The
sd0a, is going to contain a really tiny filesystem with just
one file in it:
/etc/boot.conf. The second slice will be the
softraid slice for the encrypted disk. In order to keep things simple,
we don’t add a swap slice. If you want one, you should add it as another slice to
rather than to the softraid. OpenBSD already encrypts swap, so there is no
point in doubly-encrypting it.
# disklabel -E sd0 Label editor (enter '?' for help at any prompt) sd0> a partition: [a] a offset:  8192 size:  8192 FS type: [4.2BSD] sd0*> a partition: [b] b offset:  size:  FS type: [swap] raid sd0*> w sd0> q No label changes. #
We use an offset of 8192 for the first partition because we want partitions aligned on a 4 MiB boundary, in order to reduce the possibility of write amplification when using solid state storage.
Next, we initialize the softraid. There are other options for the bioctl
command that might be interesting or useful here, including
specifying the number of rounds of the key derivation function. However,
we’ll keep it simple.
# bioctl -c C -l /dev/sd0b softraid0 New passphrase: Re-type passphrase: sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> sd1: 30709MB, 512 bytes/sector, 62893628 sectors softraid0: CRYPTO volume attached as sd1
We need to make the filesystem on
sd0a and put
# newfs /dev/rsd0a /dev/rsd0a: 4.0MB in 8192 sectors of 512 bytes 4 cylinder groups of 1.00MB, 64 blocks, 128 inodes each super-block backups (for fsck -b #) at: 32, 2080, 4128, 6176, # mount /dev/sd0a /mnt mkdir /mnt/etc echo ' stty com0 115200 set tty com0 set device sr0a' > /mnt/boot.conf # umount /dev/sd0a
That is all of the pre-configuration work, and you can now start the OpenBSD
installer by invoking
/install at the shell prompt. From this point
forward, you can just do a fairly standard installation process. Use the
sd1 for the install. The installer should leave
sd0 alone, since
we set it up manually. You also probably do not want to use the
disk layout with a swap slice, since your system would be swapping to
sd1. Here are the relevant bits from our interactive session
with the installer; yours will likely be a bit different.
Available disks are: sd0 sd1. Which disk is the root disk? ('?' for details) [sd0] sd1 No valid MBR or GPT. Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] w Setting OpenBSD MBR partition to whole sd1...done. The auto-allocated layout for sd1 is: # size offset fstype [fsize bsize cpg] a: 1024.0M 64 4.2BSD 2048 16384 1 # / b: 1264.0M 2097216 swap c: 30709.8M 0 unused d: 1713.6M 4685888 4.2BSD 2048 16384 1 # /tmp e: 2669.6M 8195392 4.2BSD 2048 16384 1 # /var f: 2496.0M 13662816 4.2BSD 2048 16384 1 # /usr g: 981.6M 18774656 4.2BSD 2048 16384 1 # /usr/X11R6 h: 4012.0M 20784992 4.2BSD 2048 16384 1 # /usr/local i: 1698.4M 29001664 4.2BSD 2048 16384 1 # /usr/src j: 5916.8M 32480000 4.2BSD 2048 16384 1 # /usr/obj k: 8926.2M 44597632 4.2BSD 2048 16384 1 # /home Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] c Label editor (enter '?' for help at any prompt) sd1> a partition: [a] a offset:  8192 size:  FS type: [4.2BSD] mount point: [none] / sd1*> w sd1> q No label changes. /dev/rsd1a: 30698.3MB in 62870208 sectors of 512 bytes 152 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each Available disks are: sd0. Which disk do you wish to initialize? (or 'done') [done] done /dev/sd1a (cd70684e3d78d3b3.a) on /mnt type ffs (rw, asynchronous, local)
Once you’re done with the installer, that’s it. You should have an encrypted installation of OpenBSD that prompts for the password on the serial console.
There are two areas of your disk that are not encrypted. One is the
/etc/boot.conf, and the other is the unencrypted area
of the softraid, where the bootloader is stored.
This blog post came into existence due to a customer request for help installing OpenBSD. If you encounter any problems performing an install on a VPS with prgmr.com, please feel free to each out to support.