DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Installation and Upgrading

OpenBSD Installation and Upgrading Installing and upgrading OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd September 2017
msvnix msvnix is offline
New User
 
Join Date: Jul 2017
Location: Spain
Posts: 7
Default encryption with two disk?

Hi everybody, I have a Thinkpad T420 with 2 disk (120GB SSD and 500GB HDD) I would like to encrypt both disk and install it's that possible? I know how two do it with one disk but not two. Thanks in advance
Reply With Quote
  #2   (View Single Post)  
Old 3rd September 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

Hello, and welcome!
Quote:
I know how two do it with one disk but not two.
The only difference between using one and two physical drives is that you need to run MAKEDEV to create a special file for the second drive, and then you will run bioctl(8) twice instead of once.

MAKEDEV is needed because the installer's tiny RAMDISK environment does not have room for a complete list of /dev special files. So, if your two drives are sd0 and sd1, before beginning the creation of partitions on both and running bioctl twice, you just need to start with:

# cd /dev
# sh MAKEDEV sd1

Please let us know if you have any specific questions.
Reply With Quote
  #3   (View Single Post)  
Old 4th September 2017
msvnix msvnix is offline
New User
 
Join Date: Jul 2017
Location: Spain
Posts: 7
Thumbs up

thanks I will try when I finish setting the other laptop
Reply With Quote
  #4   (View Single Post)  
Old 10th September 2017
msvnix msvnix is offline
New User
 
Join Date: Jul 2017
Location: Spain
Posts: 7
Default

Quote:
Originally Posted by jggimi View Post
Hello, and welcome!The only difference between using one and two physical drives is that you need to run MAKEDEV to create a special file for the second drive, and then you will run bioctl(8) twice instead of once.

MAKEDEV is needed because the installer's tiny RAMDISK environment does not have room for a complete list of /dev special files. So, if your two drives are sd0 and sd1, before beginning the creation of partitions on both and running bioctl twice, you just need to start with:

# cd /dev
# sh MAKEDEV sd1

Please let us know if you have any specific questions.
I get
Code:
Can't open DUID.a: No such file or directory
CAN'T CHECK FILE SYSTEM
DUID.a: UNEXPECTED INCONSISTENCY; TUN fsck_ffs MANUALLY

THE FOLLOEING FILE SYSTEM HAD AN UNEXPECTED INCONSISYENCY:
    ffs: DUID.a (/home)
I think its not decrypting the second hard drive but don't know why
Reply With Quote
  #5   (View Single Post)  
Old 10th September 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

I've been able to recreate this on a test system. The cause is clear: the bootloader decrypts only the boot drive.

My test system had /home on the second drive. And I had thought a solution would be to set the fstab(5) /home entry to include the noauto option, then issue a bioctl(8) and mount(8) from an rc.local(5) script.

However, rc(8) still attempts and fails to mount the /home mount point. The reason is as yet unclear to me, as noauto works fine when issuing # mount -a or # mount -A manually.

Removing the fstab(5) entry permits rc(8) to complete processing and pass control to rc.local(8), where bioctl(8) and mount(8) commands can be executed. You will want to test the bioctl(8) results, so that in the event of an incorrect passphrase, bioctl can be retried.

EDIT:

Here is an example rc.local(5) script that permits three attempts to enter the correct passphrase before mounting the partition.
Code:
for tries in 1 2 3; do
   bioctl -c C -l /dev/sd1a softraid0
   if [ $? -eq 0 ] ; then
      break
   fi
done
mount 5435133273012c81.a /home

Last edited by jggimi; 10th September 2017 at 02:46 PM. Reason: added example rc.local script
Reply With Quote
  #6   (View Single Post)  
Old 10th September 2017
TronDD TronDD is offline
Package Pilot
 
Join Date: Sep 2014
Posts: 155
Default

That works for me with also a 0 in the last numeric parameter in fstab which excludes the partition from automated fsck.

Code:
a6d775ee96227348.a /mnt/backup ffs rw,nodev,nosuid,noauto,softdep,noatime 0 0
I also disable dump(8) backups since it's actually my dump(8) destination drive.

Since fsck will not be run automatically, I also run it whenever I mount in rc.local at boot up

Code:
bioctl -c C -l /dev/sd1a softraid0 || bioctl -c C -l /dev/sd1a softraid0 || bioctl -c C -l /dev/sd1a softraid0 && fsck a6d775ee96227348.a && mount /mnt/backup
EDIT: I meant the last fstab option, the second number.

Last edited by TronDD; 10th September 2017 at 08:17 PM.
Reply With Quote
  #7   (View Single Post)  
Old 11th September 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

Quote:
Originally Posted by TronDD View Post
That works for me with also a 0 in the last numeric parameter in fstab which excludes the partition from automated fsck.
Ah, thank you for the explanation - it's an fsck(8) rather than a mount(8) by rc(8), that explains the failure.
Quote:
Since fsck will not be run automatically, I also run it whenever I mount in rc.local at boot up
Good point!
Reply With Quote
  #8   (View Single Post)  
Old 19th September 2017
msvnix msvnix is offline
New User
 
Join Date: Jul 2017
Location: Spain
Posts: 7
Default

So there is no way to do it without entering the password another time when mounting /home right?
Reply With Quote
  #9   (View Single Post)  
Old 19th September 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

The bioctl(8) tool can also use a keydisk and/or a passphrase file.
Reply With Quote
Old 19th September 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

Correction, keydisk OR passfile. Not both.
Reply With Quote
Old 25th September 2017
msvnix msvnix is offline
New User
 
Join Date: Jul 2017
Location: Spain
Posts: 7
Thumbs up

Quote:
Originally Posted by jggimi View Post
Correction, keydisk OR passfile. Not both.
Quote:
Originally Posted by TronDD View Post
That works for me with also a 0 in the last numeric parameter in fstab which excludes the partition from automated fsck.

Code:
a6d775ee96227348.a /mnt/backup ffs rw,nodev,nosuid,noauto,softdep,noatime 0 0
I also disable dump(8) backups since it's actually my dump(8) destination drive.

Since fsck will not be run automatically, I also run it whenever I mount in rc.local at boot up

Code:
bioctl -c C -l /dev/sd1a softraid0 || bioctl -c C -l /dev/sd1a softraid0 || bioctl -c C -l /dev/sd1a softraid0 && fsck a6d775ee96227348.a && mount /mnt/backup
EDIT: I meant the last fstab option, the second number.
Thanks today I have reinstalled and it's working perfectly with with a file pass unlock
Reply With Quote
Reply

Tags
disk encryption, encryption

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Whole Disk Encryption and USB Drive staus OpenBSD Security 31 21st July 2016 02:04 AM
Full Disk Encryption jjstorm OpenBSD Installation and Upgrading 3 30th May 2016 08:19 PM
Disk encryption mfaridi OpenBSD Security 12 2nd March 2015 08:45 PM
whole disk encryption 22decembre OpenBSD Security 6 5th January 2015 09:23 AM
Security: Encryption: Disk Encryption eurovive Other BSD and UNIX/UNIX-like 17 6th March 2010 04:09 AM


All times are GMT. The time now is 01:22 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick