Guide to OpenBSD RAID ======================================================================== Table of Contents ======================================================================== - Preparing a Crypto Key Disk - Formatting a Fresh Key Disk - Adding Another Key Partition to an Existing disklabel(8) Drive - Creating a Single-Drive Crypto Volume - Duplicating Key Disks ======================================================================== Preparing a Crypto Key Disk ======================================================================== The crypto bioctl(8) discipline can encrypt a RAID volume using a key disk (a RAID disklabel(8) partition storing a cryptographic key) instead of a password. This section explains how to prepare a key disk for bioctl(8). Insert the storage device that will function as the key disk. It should be something that sd(4) can manage. In my case, I inserted a USB thumb drive, which appeared to OpenBSD as sd1 in dmesg(8). Make sure you use the right device! You can also check sysctl(8): sysctl -A 2>&1 | grep disknames The rest of this section explains how to prepare a brand-new key disk and how to add a RAID partition to an existing drive to create another key disk. One disk drive can support multiple key disks. ------------------------------------------------------------------------ Formatting a Fresh Key Disk ------------------------------------------------------------------------ If the drive does not have existing keys and you are fine wiping out its existing data and dedicating it entirely to OpenBSD, follow this section's instructions. Give the drive an MBR or GPT partition table. Prefer GPT if the drive is 2TB or larger. To give it a GPT volume, run this (assuming the device that will be the key disk is sd1): fdisk -gy sd1 Then create a 1MB RAID disklabel(8). Run these commands in sequence: disklabel -E sd1 a a 1m RAID q y That will create an "a" disklabel(8) (BSD) partition starting from the default offset (when you ), occupying 1MB free space (1m), and having type RAID. You can use another disklabel(8) partition letter, of course. Note the one you choose: You will provide it to bioctl(8). In the example above, /dev/sd1a will be the key disk's partition. ------------------------------------------------------------------------ Adding Another Key Partition to an Existing disklabel(8) Drive ------------------------------------------------------------------------ If the disk that will store your cryptographic key already has disklabel(8) partitions, you can create another disklabel(8) partition on the drive to store another key. Suppose your drive is sd1 (Use the correct device on your system!) and it already has partitions a, b, and d. If you want to create an "e" partition to store your cryptographic key, run this sequence of commands: diskabel -E sd1 a e 1m RAID q y That will create an "e" disklabel(8) partition starting from the default offset (when you ), occupying 1MB free space (1m), and having type RAID. Note the disklabel(8) partition letter you create: You will provide it to bioctl(8). In the example above, /dev/sd1e will be the key disk's partition. ======================================================================== Creating a Single-Drive Crypto Volume ======================================================================== Plug the storage device into your computer. The OpenBSD console SHOULD print some messages showing the drive and whatever bus it is attached to. For example, if you plug a SATA hard drive in an external USB enclosure into your computer, you might see this this in dmesg(8): ------------------------------------------------------------------------ umass4 at uhub1 port 3 configuration 1 interface 0 "SABRENT SABRENT" rev 2.10/1.00 addr 14 umass4: using SCSI over Bulk-Only scsibus7 at umass4: 2 targets, initiator 0 sd6 at scsibus7 targ 1 lun 0: serial.153ef578D5641988407C sd6: 3815447MB, 512 bytes/sector, 7814037168 sectors ------------------------------------------------------------------------ You can confirm this by looking at sysctl(8)'s output: sysctl -A 2>&1 | grep disknames The disk device should appear in there. Fill the disk with random data. This frustrates attackers trying to determine how much encrypted data you might have on the disk: dd if=/dev/urandom of=/dev/rsd6c bs=1m Give the drive an MBR or GPT partition table. Prefer GPT if the drive is 2TB or larger. To give it a GPT volume, run this (assuming the device is sd6): fdisk -gy sd6 Then create a RAID disklabel(8), run these commands in sequence: disklabel -E sd6 a a * RAID q y That will create an "a" disklabel(8) (BSD) partition starting from the default offset (when you ), occupying the remainder of the free space (the "*"), and having type RAID. Insert the disk device that will be the key disk. I used a USB thumb drive, represented by sd7 on my system. (Make sure you note the correct device!) You should already have followed my instructions for preparing a key disk; see "Preparing a Crypto Key Disk" above. In my case, I will use the RAID disklabel(8) partition on sd7b. Create the crypto RAID volume with this disk using bioctl(8): bioctl -c C -k /dev/sd7b -l /dev/sd6a softraid0 bioctl(8) should say something like this: ------------------------------------------------------------------------ softraid0: CRYPTO volume attached as sd8 ------------------------------------------------------------------------ Zero the first block to clear garbage: dd if=/dev/zero of=/dev/rs8c bs=1m count=1 Now the device is ready for partitioning and formatting. For example: fdisk -gy sd8 disklabel -E sd8 a a * q y newfs sd8a ======================================================================== Duplicating Key Disks ======================================================================== All key disks for crypto volumes are 1MB RAID disklabel(8) partitions. These instructions you have a key disk that you want to copy and a RAID disklabel(8) partition a disk drive (it could be the same one containing the source key disk) that you want to copy to. Suppose /dev/sd1b is the source key disk and /dev/sd2b is the 1MB RAID disklabel(8) partition you want to copy the key disk to. (Make sure to adjust these instructions for your situation!) Do this to copy the key disk: dd if=/dev/sd1b of=/dev/sd2b bs=8192 seek=1 skip=1