back Encrypt partition in OpenBSD 6.3
comp
publication: Julho 07 2018 20:24
last update: Julho 07 2018 20:24
This post is meant to guide througt encrypt a specific partition in OpenBSD
6.3. We will encrypt /home
partition:
Umount /home
partition
# umount /home
Suppose your system is running on disk sdX. Discover the identifier of /home
partition
# disklabel -E sdX
Label editor (enter '?' for help at ane prompt)
> p g
...
in my disk the /home
patition is m:
.
Still in disklabel, change /home
file system type
> m m
offset: [...]
size: [...]
FS type: [4.2BSD] RAID
> w
> q
Write random data to avoid data recovery and protect the encrypted data (this can be a very time-consuming process, depending on the speed of your CPU and disk, as well as the size of the disk)
# dd if=/dev/random of=/dev/rsdXm bs=1m
Now we attach sdXm
as a crypto volume
# bioctl -c C -l /dev/sdXm softraid0
New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sdY
Note that our crypto volume is now identified as sdY
.
Let's now zero the first megabyte of sdY
to clean the master boot record and
disklabel
# dd if=/dev/zero of=/dev/rsdYc bs=1m count=1
Now we create a partition on sdY
# fdisk -iy sdY
# disklabel -E sdY
Label editor (enter '?' for help at ane prompt)
> a
...
Format the partition
# newfs /dev/rsdYa
Delete or comment /home
entry in /etc/fstab
.
Get the disks uid
# disklabel sdX | grep uid
duid: 123abc
# disklabel sdY | grep uid
duid: 789xyz
We need to mount the crypto volume during the boot. Add the following lines to
start up script /etc/rc.local
for i in 1 2 3; do # tries to mount 3 times
bioctl -c C -l 123abc.m softraid0 && break # attach sdXm as crypto volume
sleep 2 # wait 2 seconds between tries
done
fsck /dev/rsdYa # check crypto volume fs for error
mount -o rw,nodev,nosuid,softdep 789xyz.a /home # mount partition
And we are done! Your system is ready to boot with the /home
partition
enctypted and ready to mount at boot.
Last note: /home
partition is completelly empty, so if you have any user other
than root on your system, you need to create each user directory and set the
right permitions.