_ _ _____ _ ___ _____ _ _ / / / / ____/ / / _/_ __/ / / / / /_/ / __/ / / / / / / / /_/ / / __ / /___/ /____/ / / / / __ / /_/ /_/_____/_____/___/ /_/ /_/ /_/ Helith - 0815 -------------------------------------------------------------------------------- Author : Rembrandt Date : 2009-04-28 Title : Creating encrypted partitions on OpenBSD Type : Information 1. Introduction Using svnd like many of you might used before aint a solution on OpenBSD anymore. The reason is simply the write performence during some bug in the svnd code itself which I have no mood to nail down. Also the developers always react in a somehow agressiv way if you point that fact out. Please keep in mind that I wrote that text as 4.5 was released. The behavior of svnd might change in future releases. The other solution OpenBSD provides is the softraid framework. It is intended to encrypt whole disks or do other RAID related things but you can use it perfectly for a single partition as well. So I wrote that little HowTo because the necessery steps are easy but not clearly documented in the manpage. -- Updated -- The manpages for OpenBSD current (4.5->4.6) where modified and should make it more clear now. 2. Create a encrypted partition Either you have already created a partition you like to encrypt or you create a partition during the following step: disklabel -E wd0 Now either create (a %LETTER) or modify (m %LETTER) a partition. Take care that the FS TYPE is NOT "4.2BSD" but "RAID". After you did that please save the changes and leave the interactive mode. You can now use bioctl to attach the partition to softraid: bioctl -c C -l /dev/wd0k softraid0 After this step you can create a dislabel at sd0 or proceed how you like. If you like to encrypt multiple HDDs or partitions you might need to add additional softraid devices by modifying /usr/src/sys/conf/GENERIC and recompiling the kernel. But that should not be necessery. I wrote Jason McMyIntyre and asked him to apply my improvements to the softraid manpage so that other users are able to encrypt their partitions more easily. Lets see if my changes get approved. ;-) Have fun with your AES-128 encryption in XTS mode. Kind regards, Rembrandt