Tip me with BTC:
Tip me with BTC

Sugioarto

« Previous article
2016-05-04

OpenBSD on GPT with full disk encryption and EFI boot

I have tested this installation method on OpenBSD 5.9.

Prerequisites

You will need an installation medium, for example the CD ISO image and burn it.

Installation

Boot the CD. Then choose [S]hell. This article assumes that your hard drive is available under sd0. This will be mostly correct for SATA drives in systems without any exotic controllers.

Fill the Hard Drive with Random Bytes

This is optional, but important for better security.

dd if=/dev/random of=/dev/rsd0c bs=1m

Prepare the Hard Drive

Write a default GPT layout and reserve 960 sectors for the EFI boot partition. I will handle the EFI boot after the installation process.

fdisk -gi -b 960 /dev/rsd0c

Then the disk label (here only the important part):


disklabel -E sd0
> a a
FS Type: RAID
> w
> q

Now it's time to encrypt the big partition.

bioctl -c C -l sd0a softraid0

Choose a good passphrase here. bioctl will tell you after this step which new virtual device was created. For me it is sd1. This device is not available in /dev yet, so it needs to be initialized.

cd /dev sh MAKEDEV sd1

To avoid problems, it is reasonable to clear the beginning of the installation drive.

dd if=/dev/zero of=/dev/rsd1c bs=1m count=1

Continue the Installation Process

Exit the shell now.

exit

Select sd1 for installation when prompted for root disk:. Then choose GPT as parition schema. You will get a warning that it may not boot (on non-UEFI systems). Proceed yes.

Partition the Hard Drive

Choose C for custom layout when asked for the partitioning method. Everything else will not work correctly.

Now it's a good idea to think about the partions you want and how large you want to make them. You will need at least a rootfs partition on sd1a and a swap partition on sd1b. Then you can proceed to create further partitions I took the partitions that are mentioned in auto layout. They looked reasonable for me. I added them with the a command. The predefined values are ok, but you need to tell the correct size. Use suffix g for Gigabytes (e.g. 120g for a 120 Gigabytes partition).

So, first make the root parition and swap, then continue with your custom layout. The last commands will write the disk label and quit.


> a a
> a b
> a
> a
 .
 .
 .
> w
> q

Here is what I partitioned on my 3 Terabyte hard drive:

/ 10g swap 16g /tmp 20g /usr 50g /usr/X11R6 20g /usr/local 300g /usr/obj 15g /usr/src 15g /var 70g /home (rest of the available space)

You just need to hit return when prompted for the last partition that gets the rest of the hard drive.

Install Sets

The installation process is intuitive and does not need to be documented here.

After it is finished it will drop you to the shell automatically.

Prepare EFI Boot Partition

The EFI boot partition is available using the device sd0i. This partition needs to be formated with an MS-DOS filesystem.

newfs_msdos /dev/rsd0i

Now the boot filesystem needs to be mounted and filled with contents.

mount /dev/sd0i /mnt2 mkdir -p /mnt2/efi/boot cp /mnt/usr/mdec/BOOTX64.EFI /mnt2/efi/boot

That's it! Unmount the boot filesystem and reboot.

umount /mnt2 reboot

Note, that the bootloader will prompt your for the full encryption passphrase pretty early after the BIOS POST.

» Scroll back to top