When deploying a new server instance, one of the security best practices is to enable full disk encryption on the machine, adding a second layer of security to your data. This article explains how to set up an OpenBSD 7.0 server instance with full disk encryption at Vultr.
An active Vultr user account.
A modern web browser, such as Chrome or Firefox, that supports noVNC connections
Because the OpenBSD amd64 7.0 image is not in the public Vultr ISO Library yet, you need to upload it to Vultr by yourself.
Point your web browser to the official OpenBSD download page, and then find the download link to the OpenBSD amd64 7.0 image named install70.iso.
Log in to the Vultr Control Panel in a new browser window, navigate to the ISOs tab, and click the Add ISO button.
Copy the download link mentioned above, paste it into the text box on the page, and click the Upload button to start uploading.
If nothing goes wrong, the MD5 value of the uploaded OpenBSD amd64 7.0 image should be a6a8091dceaa6a88972902b6616b38e8. Delete the image and upload it again if you find a different MD5 value.
Having the OpenBSD amd64 7.0 image in place, hover your mouse over the blue + icon on the upper right corner of the Vultr Control Panel page, and then click Deploy New Server to deploy a new server instance.
Among other settings, in the Server Type section, be sure to choose install70.iso from the My ISOs line within the Upload ISO tab.
After your machine gets up and running, collect its networking information from the Settings tab in the Server Details page for later use. The IP addresses listed below are for demonstration purposes only.
IPv4 address: 203.0.113.100
Netmask: 255.255.254.0
Gateway: 203.0.113.1
Nameserver: 108.61.10.10 (Find it in the networking configuration page.)
Note: Some browser extensions, including but not limited to Vimium, could interfere with your input in the noVNC console window. Disable those extensions when using a noVNC console.
Click the View Console button on the upper right corner of the Server Details page to open a noVNC console window. Use this console window to access your server instance and begin the installation of OpenBSD amd64 7.0 with full disk encryption:
Welcome to the OpenBSD/amd64 7.0 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? sENTER
In the OpenBSD shell, use the following command to find any hard disks on your server instance:
# dmesg | grep "^[sw]d"ENTER
sd0 at scsibus0 targ 0 lun 0: <VirtIO, Block Device, >
...
As you see, sd0 stands for a single Small Computer System Interface (SCSI) hard disk on this machine, which is the most common configuration on Vultr.
To make the OpenBSD 7.0 system recognize that SCSI hard disk, create a device file with the same name sd0 in the system using the MAKEDEV script:
# cd /dev && sh MAKEDEV sd0ENTER
Optionally, overwrite the whole disk with random data to prevent unauthorized space usage deductions:
# dd if=/dev/urandom of=/dev/rsd0c bs=1mENTER
Use the fdisk command to write a default Master Boot Record (MBR) boot code to the sd0 disk:
# fdisk -iy sd0ENTER
Writing MBR at offset 0.
Create a partition layout on sd0 with the disklabel command, allocating all available disk space:
# disklabel -E sd0ENTER
Label editor (enter '?' for help at any prompt)
sd0> a aENTER
offset: [64] ENTER
size: [52420031] *ENTER
FS type: [4.2BSD] RAIDENTER
sd0*> wENTER
sd0> qENTER
Build an encrypted device named softraid0 with the sd0a partition:
# bioctl -c C -l sd0a softraid0ENTER
New passphrase: YourOwnPassphraseENTER
Re-type passphrase: YourOwnPassphraseENTER
sd1 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
...
softraid0: CRYPTO volume attached as sd1
Important: Don't lose the passphrase you input here, or you won't be able to access the data within the machine.
Create the required sd1 pseudo-device file:
# cd /dev && sh MAKEDEV sd1ENTER
Clear the first megabyte of sd1 for storing MBR data later:
# dd if=/dev/zero of=/dev/rsd1c bs=1m count=1ENTER
Exit the OpenBSD shell and return to the welcome prompt:
# exitENTER
Start the installation:
Welcome to the OpenBSD/amd64 7.0 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? iENTER
Go through the installation program as follows to install OpenBSD amd64 7.0 with full disk encryption for production. Main points you should know during the installation:
Replace all example networking configurations with your own.
For security purposes, set strong passwords for the root user and the newly created user, and do not allow root to log in from SSH.
The X Window System and games are unnecessary for building a production website. De-select those sets to save disk space.
Be sure to input sd1 as the root disk.
Because the matching SHA256 signature is not uploaded, input yes to continue the installation.
Choose your keyboard layout ('?' or 'L' for list) [default] ENTER
System hostname? (short form, e.g. 'foo') openbsdENTER
Available network interfaces are vio0 vlan0.
Which network interface do you wish to configure? (or 'done') [vio0] ENTER
IPv4 address for vio0? (or 'autoconf' or 'none') [autoconf] 203.0.113.100ENTER
Netmask for vio0? [255.255.255.0] 255.255.254.0ENTER
IPv6 address for vio0? (or 'autoconf' or 'none') [none]ENTER
Available network interfaces are: vio0 vlan0.
Which network interface do you wish to configure? (or 'done') [done]ENTER
Default Ipv4 route? (IPv4 address or none) 203.0.113.1ENTER
add net default: gateway 203.0.113.1
DNS domain name? (e.g. 'example.com') [my.domain] example.comENTER
DNS nameservers? (IP address list or 'none') [none] 108.61.10.10ENTER
Password for root account? (will not echo) YourOwnRootPasswordENTER
Password for root account? (again) YourOwnRootPasswordENTER
Start sshd(8) by default? [yes] ENTER
Do you expect to run the X Window System? [yes] noENTER
Setup a user? (enter a lower-case loginname, or 'no') [no] johndoeENTER
Full name for user johndoe [johndoe] John DoeENTER
Password for user johndoe? (will not echo) YourOwnUserPasswordENTER
Password for user johndoe? (again) YourOwnUserPasswordENTER
WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login? (yes, no, prohibit-password) [no] ENTER
What timezone are you in? ('?' for list) [US/Pacific] ENTER
Available disks are: sd0 sd1.
Which disk is the root disk? ('?' for details) [sd0] sd1ENTER
No valid MBR or GPT.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] ENTER
...
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] ENTER
...
Available disks are sd0.
Which disk do you wish to initialize? (or 'done') [done] ENTER
...
Let's install the sets!
Location of sets? (cd0 disk http nfs or 'done') [cd0] ENTER
Pathname to the sets? (or 'done') [7.0/amd64] ENTER
Select sets by entering a set name, a file name pattern or 'all'. De-select sets by
prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'.
...
Set name(s)? (or 'abort' or 'done') [done] -game* -x*ENTER
Set name(s)? (or 'abort' or 'done') [done] ENTER
Directory does not contain SHA256.sig. Continue without verification? [no] yesENTER
...
Location of sets? (cd0 disk http nfs or 'done') [done] ENTER
...
CONGRATULATIONS! Your OpenBSD install has been successfully completed!
...
Exit to (S)hell, (H)alt or (R)eboot? [reboot] ENTER
Having OpenBSD 7.0 installed, you need to make the system boot from the hard disk other than the OpenBSD amd64 7.0 ISO image. To do so, Return to the Server Details page of your machine in the Vultr Control Panel, click the Remove ISO button in the Custom ISO column in the Settings tab.
Open a new noVNC console window.
Input the passphrase you set up earlier to start the fully encrypted system.
Log in as root from the same noVNC console window.
Grant doas permissions to the newly created johndoe user:
# user mod -G wheel johndoeENTER
# echo "permit persist :wheel" >> /etc/doas.confENTER
Patch and then reboot the system:
# syspatchENTER
# shutdown -r nowENTER
After the system gets up and running again, input your passphrase to start the system.
On your desktop machine, create a public/private RSA key pair and then upload the public key to your OpenBSD server instance:
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/johndoe.openbsd.key -C "John Doe on OpenBSD"ENTER
$ ssh-copy-id -i ~/.ssh/johndoe.openbsd.key.pub johndoe@203.0.113.100ENTER
Login in to your OpenBSD as johndoe from an SSH console, and then disable password authentication as follows:
$ ssh johndoe@203.0.113.100ENTER
$ doas sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_configENTER
$ doas /etc/rc.d/sshd restartENTER
From now on, log in from SSH with your private key:
$ ssh -i ~/.ssh/johndoe.openbsd.key johndoe@203.0.113.100ENTER
Learn more about OpenBSD by visiting the following pages:
Detailed explanations to doas.