logo

tested on openbsd 6.3

encrypt disk with bioctl(8) and crypto

bioctl(8) is a raid management interface with crypto discipline for disk encryption.

create an encrypted volume

plug the drive in. assuming it's sd3.

danger! all data on sd3 will be erased.

# dd if=/dev/urandom of=/dev/rsd3c bs=1m
# fdisk -iy -g -b 960 sd3
# printf 'a a\n\n\nRAID\nw\nq\n'|disklabel -E sd3
# bioctl -c C -l sd3a softraid0
New passphrase:
Re-type passphrase:
<strong>softraid0: CRYPTO volume attached as sd4</strong>
# dd if=/dev/zero of=/dev/rsd4c bs=1m count=1
# fdisk -iy sd4
# printf 'a i\n\n\n\nw\nq\n'|disklabel -E sd4
# newfs sd4a
# mkdir /mnt/sd4a
# mount /dev/sd4a /mnt/sd4a
# ...
# umount /dev/sd4a
# bioctl -d sd4
#

it's safe to unplug sd3 drive now.

mount and umount

plug the drive in.

# bioctl -c C -l sd3a softraid0
Passphrase:
softraid0: CRYPTO volume attached as sd4
# mkdir /mnt/sd4a
# mount /dev/sd4a /mnt/sd4a
...
# umount /dev/sd4a
# bioctl -d sd4
#

check out my helpers mnt_crypto and umnt_crypto and how to use them:

# bin/mnt_crypto  'xxxxxxxxxxxxxxxx.x' 'yyyyyyyyyyyyyyyy.y'
# bin/umnt_crypto 'xxxxxxxxxxxxxxxx.x'

where xxxxxxxxxxxxxxxx.x is duid and partition of a crypto volume and yyyyyyyyyyyyyyyy.y—of a physical device.

you can find duids by running this:

# disklabel /dev/sd3a | grep -E 'duid|RAID'
duid: xxxxxxxxxxxxxxxx
  a:          7716864                 0    RAID
# disklabel /dev/sd4a | grep -E 'duid|BSD'
duid: yyyyyyyyyyyyyyyy
  i:          7716864                64    4.2BSD   4096 32768 26062
#

check file system consistency

a drive was accidentally disconnected (before you could unmount it properly). that happens. run fsck(8):

# bioctl -c C -l sd3a softraid0
softraid0: sd4 was not shutdown properly
Passphrase:
softraid0: sd4 was not shutdown properly
softraid0: CRYPTO volume attached as sd4
# fsck /dev/sd4a
** /dev/rsd4a
** Last Mounted on /mnt/sd4a
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
38996 files, 58177423 used, 62950830 free
(10766 frags, 7867508 blocks, 0.0% fragmentation)

MARK FILE SYSTEM CLEAN? [Fyn?] y

***** FILE SYSTEM WAS MODIFIED *****
#

change the passphrase

# bioctl -P sd4
Old passphrase:
New passphrase:
Re-type passphrase:
#