Hard disk encryption using softraid crypto target in OpenBSD

First of all, this article is based on this one: and the OpenBSD's softraid manpage. This is not working! For now, it is not possible to boot on softraid. This article is just here to get information on how to proceed to boot with PXE and create softraid crypto partitions, until this is made possible.

This project took birth while looking for disk encryption theory for my previous article on linux's loop-aes. OpenBSD's softraid crypto target uses the XTS+AES method for encryption, which is very secure, even more than the CBC+ESSIV method used by loop-aes (which is still very secure). It is also slower, due to more instructions needed with this algorithm. The "very secure" here depends on if the attacker has several access to the hard disk, or just once. Read the wikipedia page for more information.

Whereas in this first project I used a USB thumb drive to boot the system and install it, I wanted to take a look at PXE. OpenBSD is a lot used in soekris systems, which have no other interaction devices than a serial port and ethernet. And for that matter, they use PXE boot and install.

1. PXE boot

PXE stands for Pre-boot eXecution Environment. This is roughly a netwoork boot, like BOOTP or others, with some improvements. This is used for computers that don't have the operating system on a local drive, or for wide installation deployment. Getting a PXE server up, if I can call it like that, is quite easy. PXE is actually a standard based on DHCP and TFTP.

So the first step is to install a DHCP and TFTP server. I used a debian GNU/Linux for this server, with packages dhcp and tftpd. Configure the DHCPD adding the line filename "pxeboot"; in the corresponding subnet, like this:

subnet netmask {
    option routers;
    filename "pxeboot";

Configure the TFTPD, generally this is done with inetd, including this line in inetd.conf:

tftp dgram udp wait nobody /usr/sbin/tcpd /usr/sbin/in.tftpd -s /srv/tftp

Now download OpenBSD files from your favorite mirror for the last release: pxeboot, which is OpenBSD's boot loader for PXE, and bsd.rd, which is the image containing the kernel and installation files. Put these files in /srv/tftp with 644 permissions. Create a simple config file, in /srv/tftp/etc/boot.conf, which is needed because we don't use the standard image target called bsd, but bsd.rd:

set image bsd.rd

Configure your BIOS to boot from network, and if everything is allright, you can start installing OpenBSD on your computer.

2. softraid crypto setup

Before actually entering the installer, you have to configure your softraid device, to install OpenBSD on it. Request acces to the Shell when this is asked. The following steps are good if you want to use the whole disk for OpenBSD, you have to adjust wd0 commands otherwise.

Create an empty partition table on wd0, and put a single disklabel slice on it, which we will call wd0a from now. In disklabel, use RAID for the partition type.

# fdisk -i wd0
# disklabel -E wd0
(create wd0a with type RAID)

Now, we can create the softraid device, using bioctl. The target is crypto (C). When this is done, the kernel notifies there is a new scsi disk available, sd0. Then, we create a partition table and disklabel on this new device, as if it was a new hard disk (you should create several slices here):

# bioctl -c C -l /dev/wd0a softraid0
enter passphrase

# fdisk -i sd0
# disklabel -E sd0

Don't do newfs now, because we will now step into the installer part which will do it.

3. Install system on the hard drive

Encrypted disk is setup, we can now install the system on it. Use the /install command to launch install. Specify sd0 as the drive on which you want to install OpenBSD. Set mount points. It will create the filesystems, setup network and other things, ask for packages to install, and install them.

Now, you have fully-installed OpenBSD on an encrypted hard disk. And you cannot boot it.

4. Create the initial ramdisk for softraid root partition (PXE) boot

This is currently not possible to boot on softraid. See this post.

At least it will have created some computer jokes

0 comment

Discuss this article, add a comment:

If you are human, type 12: