quay:wiki

User Tools

Site Tools

Trace:
crypto:openbsd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
crypto:openbsd [2015-03-07 14:21] – created gabrielcrypto:openbsd [2019-08-10 14:42] (current) – title gabriel
Line 1: Line 1:
 +====== OpenBSD ======
 +
 I use an OpenBSD virtual host (VMware guest) for certain cryptography requirements (managing the Quay x509 Root CA, some gpg uses).  For convenience and because I don't really have a full time need for this level of crypto, I save this work environment as a VMware Fusion VM (yeah, yeah I know that VMware introduces its own risks, but this is strictly for using the tools rather than a runtime environment). I use an OpenBSD virtual host (VMware guest) for certain cryptography requirements (managing the Quay x509 Root CA, some gpg uses).  For convenience and because I don't really have a full time need for this level of crypto, I save this work environment as a VMware Fusion VM (yeah, yeah I know that VMware introduces its own risks, but this is strictly for using the tools rather than a runtime environment).
  
Line 6: Line 8:
  
 I store secret keys on this VM image so I would like the filesystem to be encrypted to that it is not easily accessible if somebody gets a copy of the VMDK files. I store secret keys on this VM image so I would like the filesystem to be encrypted to that it is not easily accessible if somebody gets a copy of the VMDK files.
 +
 +More detail is available here: http://www.openbsd.org/faq/faq14.html#softraidCrypto
 +
 +I skimmed through these tutorials as well before deciding how I wanted to do this:
 +
 +  *  http://ryanak.ca/planet-ubuntu/2013/03/26/Setting-up-full-disk-encryption-in-OpenBSD-5.3.html
 +  *  http://www.bsdnow.tv/tutorials/fde (also includes instructions for FreeBSD)
  
 Here are some terse instructions for making this work: Here are some terse instructions for making this work:
  
 <code bash> <code bash>
-Test+## these instructions assume you're using SCSI disks 
 +## modify the device names as needed (e.g.: wd instead of sd for ATA) 
 +fdisk -iy sd0 
 +disklabel -E sd0  # enter the label editor 
 + 
 +## these commands are run at the label editor prompt, not the shell 
 +# set up a 1GB swap partition (OpenBSD encrypts swap by default 
 +# so we can exclude it from our crypto RAID) 
 +> a b 
 +offset: [64] 
 +size [10474316] 1g 
 +Rounding size to cylinder (16065 sectors): 2104451 
 +FS type: [swap]: 
 +> a a 
 +offset: [2104515] 
 +size: [31439205] * 
 +FS type: [4.2BSD] RAID 
 +> w 
 +> q 
 +No label changes. 
 + 
 +## now create the softraid crpyto volume 
 +bioctl -c C -l /dev/sd0a softraid0 
 +# enter your passphrase for the volume 
 +# you should see "softraid0: CRYPTO volume attached as sd1" if succsessful 
 +exit 
 + 
 +## you can complete the install as usual now on sd1
 </code> </code>
 +
 +===== Notes =====
 +
 +If you want to find the hardware names of your disks you can use: ''sysctl hw.disknames''
crypto/openbsd.1425756099.txt.gz · Last modified: 2015-03-07 14:21 by gabriel