When deploying a new server instance, one of the security best practices is to enable full disk encryption on the machine, adding a second layer of security to your data. This article explains how to set up an OpenBSD 7.0 server instance with full disk encryption at Vultr.
An active Vultr user account.
A modern web browser, such as Chrome or Firefox, that supports noVNC connections
Because the OpenBSD amd64 7.0 image is not in the public Vultr ISO Library yet, you need to upload it to Vultr by yourself.
Point your web browser to the official OpenBSD download page, and then find the download link to the OpenBSD amd64 7.0 image named install70.iso.
Log in to the Vultr Control Panel in a new browser window, navigate to the ISOs tab, and click the Add ISO button.
Copy the download link mentioned above, paste it into the text box on the page, and click the Upload button to start uploading.
If nothing goes wrong, the MD5 value of the uploaded OpenBSD amd64 7.0 image should be a6a8091dceaa6a88972902b6616b38e8. Delete the image and upload it again if you find a different MD5 value.
Having the OpenBSD amd64 7.0 image in place, hover your mouse over the blue + icon on the upper right corner of the Vultr Control Panel page, and then click Deploy New Server to deploy a new server instance.
Among other settings, in the Server Type section, be sure to choose install70.iso from the My ISOs line within the Upload ISO tab.
After your machine gets up and running, collect its networking information from the Settings tab in the Server Details page for later use. The IP addresses listed below are for demonstration purposes only.
IPv4 address: 203.0.113.100
Nameserver: 18.104.22.168 (Find it in the networking configuration page.)
Note: Some browser extensions, including but not limited to Vimium, could interfere with your input in the noVNC console window. Disable those extensions when using a noVNC console.
Click the View Console button on the upper right corner of the Server Details page to open a noVNC console window. Use this console window to access your server instance and begin the installation of OpenBSD amd64 7.0 with full disk encryption:
Welcome to the OpenBSD/amd64 7.0 installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? sENTER
In the OpenBSD shell, use the following command to find any hard disks on your server instance:
# dmesg | grep "^[sw]d"ENTER sd0 at scsibus0 targ 0 lun 0: <VirtIO, Block Device, > ...
As you see, sd0 stands for a single Small Computer System Interface (SCSI) hard disk on this machine, which is the most common configuration on Vultr.
To make the OpenBSD 7.0 system recognize that SCSI hard disk, create a device file with the same name sd0 in the system using the MAKEDEV script:
# cd /dev && sh MAKEDEV sd0ENTER
Optionally, overwrite the whole disk with random data to prevent unauthorized space usage deductions:
# dd if=/dev/urandom of=/dev/rsd0c bs=1mENTER
Use the fdisk command to write a default Master Boot Record (MBR) boot code to the sd0 disk:
# fdisk -iy sd0ENTER Writing MBR at offset 0.
Create a partition layout on sd0 with the disklabel command, allocating all available disk space:
# disklabel -E sd0ENTER Label editor (enter '?' for help at any prompt) sd0> a aENTER offset:  ENTER size:  *ENTER FS type: [4.2BSD] RAIDENTER sd0*> wENTER sd0> qENTER
Build an encrypted device named softraid0 with the sd0a partition:
# bioctl -c C -l sd0a softraid0ENTER New passphrase: YourOwnPassphraseENTER Re-type passphrase: YourOwnPassphraseENTER sd1 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> ... softraid0: CRYPTO volume attached as sd1
Important: Don't lose the passphrase you input here, or you won't be able to access the data within the machine.
Create the required sd1 pseudo-device file:
# cd /dev && sh MAKEDEV sd1ENTER
Clear the first megabyte of sd1 for storing MBR data later:
# dd if=/dev/zero of=/dev/rsd1c bs=1m count=1ENTER
Exit the OpenBSD shell and return to the welcome prompt:
Start the installation:
Welcome to the OpenBSD/amd64 7.0 installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? iENTER
Go through the installation program as follows to install OpenBSD amd64 7.0 with full disk encryption for production. Main points you should know during the installation:
Replace all example networking configurations with your own.
For security purposes, set strong passwords for the root user and the newly created user, and do not allow root to log in from SSH.
The X Window System and games are unnecessary for building a production website. De-select those sets to save disk space.
Be sure to input sd1 as the root disk.
Because the matching SHA256 signature is not uploaded, input yes to continue the installation.
Choose your keyboard layout ('?' or 'L' for list) [default] ENTER System hostname? (short form, e.g. 'foo') openbsdENTER Available network interfaces are vio0 vlan0. Which network interface do you wish to configure? (or 'done') [vio0] ENTER IPv4 address for vio0? (or 'autoconf' or 'none') [autoconf] 203.0.113.100ENTER Netmask for vio0? [255.255.255.0] 255.255.254.0ENTER IPv6 address for vio0? (or 'autoconf' or 'none') [none]ENTER Available network interfaces are: vio0 vlan0. Which network interface do you wish to configure? (or 'done') [done]ENTER Default Ipv4 route? (IPv4 address or none) 203.0.113.1ENTER add net default: gateway 203.0.113.1 DNS domain name? (e.g. 'example.com') [my.domain] example.comENTER DNS nameservers? (IP address list or 'none') [none] 22.214.171.124ENTER Password for root account? (will not echo) YourOwnRootPasswordENTER Password for root account? (again) YourOwnRootPasswordENTER Start sshd(8) by default? [yes] ENTER Do you expect to run the X Window System? [yes] noENTER Setup a user? (enter a lower-case loginname, or 'no') [no] johndoeENTER Full name for user johndoe [johndoe] John DoeENTER Password for user johndoe? (will not echo) YourOwnUserPasswordENTER Password for user johndoe? (again) YourOwnUserPasswordENTER WARNING: root is targeted by password guessing attacks, pubkeys are safer. Allow root ssh login? (yes, no, prohibit-password) [no] ENTER What timezone are you in? ('?' for list) [US/Pacific] ENTER Available disks are: sd0 sd1. Which disk is the root disk? ('?' for details) [sd0] sd1ENTER No valid MBR or GPT. Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] ENTER ... Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] ENTER ... Available disks are sd0. Which disk do you wish to initialize? (or 'done') [done] ENTER ... Let's install the sets! Location of sets? (cd0 disk http nfs or 'done') [cd0] ENTER Pathname to the sets? (or 'done') [7.0/amd64] ENTER Select sets by entering a set name, a file name pattern or 'all'. De-select sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'. ... Set name(s)? (or 'abort' or 'done') [done] -game* -x*ENTER Set name(s)? (or 'abort' or 'done') [done] ENTER Directory does not contain SHA256.sig. Continue without verification? [no] yesENTER ... Location of sets? (cd0 disk http nfs or 'done') [done] ENTER ... CONGRATULATIONS! Your OpenBSD install has been successfully completed! ... Exit to (S)hell, (H)alt or (R)eboot? [reboot] ENTER
Having OpenBSD 7.0 installed, you need to make the system boot from the hard disk other than the OpenBSD amd64 7.0 ISO image. To do so, Return to the Server Details page of your machine in the Vultr Control Panel, click the Remove ISO button in the Custom ISO column in the Settings tab.
Open a new noVNC console window.
Input the passphrase you set up earlier to start the fully encrypted system.
Log in as root from the same noVNC console window.
Grant doas permissions to the newly created johndoe user:
# user mod -G wheel johndoeENTER # echo "permit persist :wheel" >> /etc/doas.confENTER
Patch and then reboot the system:
# syspatchENTER # shutdown -r nowENTER
After the system gets up and running again, input your passphrase to start the system.
On your desktop machine, create a public/private RSA key pair and then upload the public key to your OpenBSD server instance:
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/johndoe.openbsd.key -C "John Doe on OpenBSD"ENTER $ ssh-copy-id -i ~/.ssh/johndoe.openbsd.key.pub firstname.lastname@example.orgENTER
Login in to your OpenBSD as johndoe from an SSH console, and then disable password authentication as follows:
$ ssh email@example.comENTER $ doas sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_configENTER $ doas /etc/rc.d/sshd restartENTER
From now on, log in from SSH with your private key:
$ ssh -i ~/.ssh/johndoe.openbsd.key firstname.lastname@example.orgENTER
Learn more about OpenBSD by visiting the following pages:
Detailed explanations to doas.