DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th December 2014
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 40
Default whole disk encryption

I recently bought a small netbook. It works quite fine under openbsd.

Code:
$ uname -a
OpenBSD musen.22decembre.eu 5.6 GENERIC.MP#299 i386
$ sysctl kern                                                                  
kern.ostype=OpenBSD
kern.osrelease=5.6
kern.osrevision=201411
kern.version=OpenBSD 5.6 (GENERIC.MP) #299: Fri Aug  8 00:10:33 MDT 2014
    deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
At first I wanted to install on an encrypted disk. I could not manage it. So I finished the install in normal mode.

I just succeed in setting an encrypted partition.

Here is the disklabel of the physical disk :

Code:
# /dev/rsd0c:
type: SCSI
disk: SCSI disk
label: WDC WD800BEVS-00
duid: 39ac47a59a78a464
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 9729
total sectors: 156301488
boundstart: 64
boundend: 156296385
drivedata: 0

16 partitions:
#                size           offset  fstype [fsize bsize  cpg]
  a:          2097152               64  4.2BSD   2048 16384    1 # /
  b:          2599424          2097216    swap                   # none
  c:        156301488                0  unused
  e:         12538880         13085248  4.2BSD   2048 16384    1 # /var
  f:          4194304         25624128  4.2BSD   2048 16384    1 # /usr
  h:         10488640         29818432  4.2BSD   2048 16384    1 # /home
  i:         20964838         40307072    RAID
I can decrypt the encrypted part :

Code:
# bioctl -c C -l /dev/sd0i softraid0
Passphrase: 
softraid0: CRYPTO volume attached as sd2
Here is the disklabel of the encrypted part :

Code:
# /dev/rsd2c:
type: SCSI
disk: SCSI disk
label: SR CRYPTO
duid: a751c8ec1c6976ed
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 1304
total sectors: 20964310
boundstart: 64
boundend: 20948760
drivedata: 0

16 partitions:
#                size           offset  fstype [fsize bsize  cpg]
  c:         20964310                0  unused
  d:         20948672               64  4.2BSD   2048 16384    1
... and when I try to mount the part d with a ffs, using either sd2d or the duid :

Code:
# mount a751c8ec1c6976ed.d /mnt/target/                                                            
mount_ffs: a751c8ec1c6976ed.d on /mnt/target: Invalid argument
I aim at mounting the whole system, copy it into the new encrypted partition and setup the boot after. But I can't copy it currently.

What do I do wrong ?

Thank you for your answer and merry christmas, happy new year...

Last edited by ocicat; 5th January 2015 at 03:29 PM. Reason: Edited out profanity -- forbidden in the forum rules.
Reply With Quote
  #2   (View Single Post)  
Old 25th December 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

Quote:
I aim at mounting the whole system, copy it into the new encrypted partition and setup the boot after. But I can't copy it currently.

What do I do wrong ?
Lets start with your failure to mount /dev/sd2d. I am guessing you either did not format the filesystem, or you do not have a pre-existing /mnt/target directory. See newfs(8) if you neglected to format, or mkdir(1) if you do not have the mount point created in advance.

Operating your laptop with full disk encrypt is much, much, much easier if you set up your softraid device at install time, not after you have complete your installation. Afterwards, you must create five separate filesystems in sd2, copy the filesystems one at a time, and install bootblocks manually. But it is much easier to start over, and re-install using full-disk encryption.

This "howto" assumes sd0 is your hard drive.
  1. Boot the ramdisk kernel, from your installation media or by selecting bsd.rd at the boot> prompt.
  2. Select the shell instead of install or upgrade.
  3. Only sd0 is preconfigured in /dev. Add sd1 and (if needed) sd2.
    Code:
    # cd /dev
    # sh MAKEDEV sd1 sd2
  4. Create an MBR on sd0, with a default single MBR partition for OpenBSD.
    Code:
    # fdisk -iy sd0
  5. Create a single disklabel partition, type RAID, on sd0. In this example, partition sd0a is created:
    Code:
    # disklabel -E sd0
    Label editor (enter '?' for help at any prompt)
    > a
    partition: [a]
    offset: [nn]
    size: [nnnnnnnnnn]
    FS type: [4.2BSD] raid
    > q
    Write new label?: [y] y
  6. Create your softraid(4) CRYPTO device:
    Code:
    # bioctl -c C -l /dev/sd0a softraid0
  7. Begin your installation, and install onto the newly created device.
    Code:
    # install
Disclaimer: I've installed onto bootable softraid devices: but they've been RAID 1 arrays, never CRYPTO discipline. I use softraid crypto on a laptop, but only /home is encrypted, rather than full disk encryption.

Last edited by jggimi; 25th December 2014 at 11:52 AM. Reason: typos
Reply With Quote
  #3   (View Single Post)  
Old 25th December 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

I should add, that if you want to reinitialize a pre-existing disklabel, use the z command. That may make adding a single large "a" partition, as in my example, easier. See disklabel(8).
Reply With Quote
  #4   (View Single Post)  
Old 25th December 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

I've just tested the "howto" with a USB stick. As with bootable RAID arrays, the bootloader sees the softraid device. With the CRYPTO discipline the bootloader will also prompt for the passphrase. I only tested with passphrase, I did not test with a keydisk.
Reply With Quote
  #5   (View Single Post)  
Old 25th December 2014
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 40
Default

It appears that I did not format. I thought disklabel had done this task.

thanks. I will reinstall with encryption.
Reply With Quote
  #6   (View Single Post)  
Old 25th December 2014
22decembre 22decembre is offline
Port Guard
 
Join Date: Dec 2014
Posts: 40
Default

worked perfect !
Reply With Quote
  #7   (View Single Post)  
Old 5th January 2015
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

I've been using full disk encryption for a number of years on my little netbook and it works great. But one thing I keep forgetting when re-installing every 6 months or so is to adjust my intended passphrase to work on the default keyboard encoding that is available at the passphrase prompt.

Basically I keep setting passphrases under a "kbd sv" environment, and when re-booting I end up having to type the passphrase with a different keyboard encoding - making some characters appear on different keys. So my already funny passphrase becomes even more hilarious to type in.
Reply With Quote
Reply

Tags
crypto, softraid0

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Reliability concerns on full disk encryption virtuvoos OpenBSD Security 4 31st October 2013 11:06 PM
FreeNAS 8.3.1 introduces full disk ZFS encryption J65nko News 0 22nd March 2013 02:54 AM
Security: Encryption: Disk Encryption eurovive Other BSD and UNIX/UNIX-like 17 6th March 2010 04:09 AM
Full disk encryption with Loop-AES deviant085 OpenBSD Security 9 23rd November 2009 12:51 AM
Disk geometry for Seagate disk phreud FreeBSD Installation and Upgrading 5 8th November 2008 10:51 PM


All times are GMT. The time now is 12:34 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick