Setup OpenBSD 5.6 With Full Disk Encryption

Last Updated: Thu, Nov 6, 2014
Archived content

This article is outdated and may not work correctly for current operating systems or software.

This tutorial will show you how to setup OpenBSD 5.6 with a fully encrypted disk on your Vultr VPS. A note on the encryption part: Most datacenters around the world are quite secure facilities with excellent measures in place to prevent your data from physical access. Nevertheless, it is still possible that the server hosting your machine could be stolen. With encryption in place, this scenario would not affect you.

To start, you will need to obtain a copy of OpenBSD 5.6, which can be obtained directly from the OpenBSD project's servers. Upload the OpenBSD ISO to your Vultr control panel (which is located under /iso/). Now you can spin up a new instance. Since OpenBSD's resource requirements are very low, the smallest instance is perfectly fine.

After the Vultr installation process is finished, switch to your server's console view and press "s" to open up a shell. This should be done before starting the installer so that you can manually setup the encryption.

To find out the identifier of your primary hard disk, run the following command:

dmesg | grep "^[sw]d"

Most likely it's "sd0", so we'll assume this throughout the rest of the tutorial. To make sure there are no partitions left, you need to rewrite the MBR and the partition table:

fdisk -iy sd0

Partitioning is done with the disklabel utility:

disklabel -E sd0

You need two partitions. One swap-partition, with 1GB of space, and a special RAID-partition that will take up the rest of the space (this will be used for encryption). Since disklabel's syntax is quite uncommon, you can just copy/paste the following commands. If you want to learn more about their syntax, there is an excellent manpage:

a b

# Defaults are okay, size is "1g"

a a

# Defaults are okay, size is "*", type is "RAID"



Now, you need to encrypt the RAID-device. Use a good passphrase and make sure not to forget it. It is extremely hard (if not impossible) to recover a lost passphrase:

bioctl -c C -l /dev/sd0a softraid0

At this point, preparation work is done, and you can now switch back to the installer:


Start the installer by pressing "i", and proceed through the following steps:

  • Choose your keyboard layout.

  • Assign a hostname to the system.

  • Configure the network interface (It will most likely be vio0)).

  • Assign a default gateway.

  • Assign a DNS domain name and DNS servers.

  • Add a password for the administrative account.

  • Enable sshd and ntpd, but disable desktop-specific options such as xdm.

  • Add a non-privileged user (if desired).

  • Configure the timezone.

Now it's time to decide where OpenBSD should be installed. By entering "?", the OpenBSD installer will show you all of the available disks. The output should contain a line similar to the following:

sd1: SR CRYPTO (119.0G)

That is the right one to select. Select "Whole Disk" by entering "w", then accept "Auto layout" by entering "a".

Depending on the size of the hard disk, this process will take a few minutes. After it is finished, you can install all the necessary sets from "cd". The default options are perfectly fine, only when it comes to signature verification you need to replace the default answer with "yes" (unless you have downloaded the checksum beforehand). Again, this will take a few minutes.

Once the installation of the packages has completed, remove the image and "reboot" the server.

Congratulations, your fully encrypted server is online!

Want to contribute?

You could earn up to $600 by adding new articles.