User Tools

Site Tools


crypto:openbsd

I use an OpenBSD virtual host (VMware guest) for certain cryptography requirements (managing the Quay x509 Root CA, some gpg uses). For convenience and because I don't really have a full time need for this level of crypto, I save this work environment as a VMware Fusion VM (yeah, yeah I know that VMware introduces its own risks, but this is strictly for using the tools rather than a runtime environment).

This page documents some tricks that are useful in setting up and managing OpenBSD.

Encrypting the Filesystem

I store secret keys on this VM image so I would like the filesystem to be encrypted to that it is not easily accessible if somebody gets a copy of the VMDK files.

More detail is available here: http://www.openbsd.org/faq/faq14.html#softraidCrypto

I skimmed through these tutorials as well before deciding how I wanted to do this:

Here are some terse instructions for making this work:

## these instructions assume you're using SCSI disks
## modify the device names as needed (e.g.: wd instead of sd for ATA)
fdisk -iy sd0
disklabel -E sd0  # enter the label editor
 
## these commands are run at the label editor prompt, not the shell
# set up a 1GB swap partition (OpenBSD encrypts swap by default
# so we can exclude it from our crypto RAID)
> a b
offset: [64]
size [10474316] 1g
Rounding size to cylinder (16065 sectors): 2104451
FS type: [swap]:
> a a
offset: [2104515]
size: [31439205] *
FS type: [4.2BSD] RAID
> w
> q
No label changes.
 
## now create the softraid crpyto volume
bioctl -c C -l /dev/sd0a softraid0
# enter your passphrase for the volume
# you should see "softraid0: CRYPTO volume attached as sd1" if succsessful
exit
 
## you can complete the install as usual now on sd1

Notes

If you want to find the hardware names of your disks you can use: sysctl hw.disknames

crypto/openbsd.txt · Last modified: 2015-03-09 01:24 by gabriel