Hi. I'm jon.404, a Unix/Linux/Database/Openstack/Kubernetes Administrator, AWS/GCP/Azure Engineer, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: *nix.
Encrypted OpenBSD flash drive, the easy way...
Ok, so there's a couple of howto's floating around the interwebs with great instructions on how to do this, or that, or whatever, but none seem to "pull it all together" for me, so I decided to post here what I do to build an OpenBSD encrypted jump drive.
First off, the links:
Encryption: http://16s.us/OpenBSD/softraid.txt
/etc/fstab: http://www.mail-archive.com/misc@ope.../msg94555.html
/etc/fstab with revision (by me): http://www.daemonforums.org/showpost...02&postcount=9
/tmp in mfs: man mount_mfs
So here's the routine:
Pop in your usb key and boot an OpenBSD iso disk. When it asks if you want to Install, Upgrade, or Shell, pick Shell. (this is pretty much lifted verbatim from the first link above =)
make sure you have the right disk!
Look for your jump drive...mine is:
Now you need to fdisk/disklabel sd0 and create two partitions: a and d. a should be small (~128 MB or so), and d should take up the rest of the drive. (b isn't really needed on a jump drive unless you really want to...swap is encrypted by default on OpenBSD, so you don't have to shove it off into d unless you want to).
Once that's done, run this:
Give it a passphrase you can remember, but that's not easily guessed. This passphrase will be used to encrypt and decrypt sd0d!
This will create sd1 as a crypto volume. You can fdisk/disklabel it just like you do any other drive, only it's encrypted =)
At this point, perform a standard install. You'll need to choose sd0a as /, and choose to use sd1 to hold everything else. Mine is partitioned as such:
I don't really use /altroot that much, but it's a nice feature...make sure sd1a is the same size as sd0a if you plan on using it. Now finish the installation and reboot.
During the next boot, you'll get tossed out to a shell. This is normal, as the kernel can't find all of the other filesystems it needs for a full boot. When you get a prompt, type in:
Make sure you use sd0d! Enter your passphrase when asked and let the boot continue normally now.
Once it's booted fully, login and run the following:
This will replace all occurrences of /dev/sd* with the disk uid that can be used to dynamically detect which disk to mount. This is important for a jump drive since you never know if there will be existing sd* drives on all machines you could use the jump drive on. (If the machine has an existing sd0, your current sd0 will become sd1 and sd1 (the crypto drive) will become sd2, and nothing will mount properly via /etc/fstab...using the disk uid fixes this issue.)
The last lines above will mount /tmp and /var/tmp on memory file systems (mfs), and make them 153600 sectors (512 bytes per sector, or a total size of 75MB...adjust as required). This way repeated updates to /tmp and /var/tmp don't increase the write wear on your jump drive, in case you're using a cheaper one...
Update - There are a few very useful wireless adaptor firmware packages you should install on a usb stick that's likely to drive laptops:
acx
athn
atu
bwi
ipw
iwi
iwn
otus
malo
pgt
ral
rsu
rum
run
uath
upgt
urtwn
wpi
zyd
Check the man page to see if there is a prepackaged version available, or check ports if the firmware is freely distributable. If it isn't freely distributable, you might be able to find it at:
http://www.nazgul.ch/<driver_name>/<driver_name>-firmware-<version>.tgz
http://damien.bergamini.free.fr/packages/openbsd/<driver_name>-firmware-<version>.tgz
Check the individual man pages for exact details.
First off, the links:
Encryption: http://16s.us/OpenBSD/softraid.txt
/etc/fstab: http://www.mail-archive.com/misc@ope.../msg94555.html
/etc/fstab with revision (by me): http://www.daemonforums.org/showpost...02&postcount=9
/tmp in mfs: man mount_mfs
So here's the routine:
Pop in your usb key and boot an OpenBSD iso disk. When it asks if you want to Install, Upgrade, or Shell, pick Shell. (this is pretty much lifted verbatim from the first link above =)
make sure you have the right disk!
Code:
dmesg | less
Quote:
Originally Posted by dmesg
sd0 at scsibus1 targ 1 lun 0: <SanDisk, Cruzer, 1.00> SCSI1 0/direct removable
sd0: 7629MB, 512 bytes/sec, 15625216 sec total
sd0: 7629MB, 512 bytes/sec, 15625216 sec total
Once that's done, run this:
Code:
bioctl -c C -r 65536 -l /dev/sd0d softraid0 && exit
This will create sd1 as a crypto volume. You can fdisk/disklabel it just like you do any other drive, only it's encrypted =)
At this point, perform a standard install. You'll need to choose sd0a as /, and choose to use sd1 to hold everything else. Mine is partitioned as such:
Code:
$ mount /dev/sd0a on / type ffs (local) /dev/sd1a on /altroot type ffs (local, nodev, nosuid) /dev/sd1f on /home type ffs (local, nodev, nosuid) /dev/sd1d on /usr type ffs (local, nodev) /dev/sd1e on /var type ffs (local, nodev, nosuid)
During the next boot, you'll get tossed out to a shell. This is normal, as the kernel can't find all of the other filesystems it needs for a full boot. When you get a prompt, type in:
Code:
bioctl -c C -r 65536 -l /dev/sd0d softraid0 && exit
Once it's booted fully, login and run the following:
Code:
[ -f /dev/diskmap ] || ( cd /dev; sudo MAKEDEV diskmap )
# CHANGE THESE VARIABLES TO MATCH THE SYSTEM YOU'RE CURRENTLY ON!!
export CLEARTEXT=sd0
export CRYPTDISK=sd1
echo wq | disklabel -E $CLEARTEXT
CTDUID=`disklabel $CLEARTEXT | grep -E '^[d]?uid:' | cut -f2 -d' '`
{ echo ",s#/dev/$CLEARTEXT#${CTDUID}.#"; echo w; } | ed - /etc/fstab
echo wq | disklabel -E $CRYPTDISK
CRDUID=`disklabel $CRYPTDISK | grep -E '^[d]?uid:' | cut -f2 -d' '`
{ echo ",s#/dev/$CRYPTDISK#${CRDUID}.#"; echo w; } | ed - /etc/fstab
echo "swap /tmp mfs rw,nodev,nosuid,-s=153600 0 0" >> /etc/fstab
echo "swap /var/tmp mfs rw,nodev,nosuid,-s=153600 0 0" >> /etc/fstab
The last lines above will mount /tmp and /var/tmp on memory file systems (mfs), and make them 153600 sectors (512 bytes per sector, or a total size of 75MB...adjust as required). This way repeated updates to /tmp and /var/tmp don't increase the write wear on your jump drive, in case you're using a cheaper one...
Update - There are a few very useful wireless adaptor firmware packages you should install on a usb stick that's likely to drive laptops:
acx
athn
atu
bwi
ipw
iwi
iwn
otus
malo
pgt
ral
rsu
rum
run
uath
upgt
urtwn
wpi
zyd
Check the man page to see if there is a prepackaged version available, or check ports if the firmware is freely distributable. If it isn't freely distributable, you might be able to find it at:
http://www.nazgul.ch/<driver_name>/<driver_name>-firmware-<version>.tgz
http://damien.bergamini.free.fr/packages/openbsd/<driver_name>-firmware-<version>.tgz
Check the individual man pages for exact details.
Total Comments 0
