e1e0.net

sources for e1e0 website
git clone https://git.e1e0.net/e1e0.net.git
Log | Files | Refs

openbsd-encrypt-usb-flash-drive.md (2225B)


      1 Title: Encrypt a USB flash drive on OpenBSD.
      2 Author: paco
      3 Date: 2019-08-24
      4 Type: article
      5 
      6 This are some notes to encrypt a USB flash drive on OpenBSD, is taken from the
      7 [OpenBSD FAQ][1] just with a bit more explanation so I can remember what's all
      8 about.
      9 
     10 Of course, you should not trust anything I say here and check [bioctl(8)][2] man
     11 page and the already mentioned FAQ.
     12 
     13 On this example we assume the USB drive is `sd3`.  All commands have to be
     14 executed by `root` (hence the `#`) or using `doas(1)`.
     15 
     16 The first time, to create the encrypted drive, it is recommended to write
     17 random data to the disk.
     18 
     19     # dd if=/dev/urandom of=/dev/rsd3c bs=1m
     20 
     21 Then partition the disk (`-i` reinitializes the partition table and `-y`
     22 answers yes to all prompts).
     23 
     24     # fdisk -iy sd3
     25 
     26 After that create a partition of type `RAID` with `disklabel(8)`.  This command
     27 is interactive, check the man page for that.  Is quite easy.
     28 
     29     # disklabel -E sd3
     30 
     31 Now you can create the encrypted volume.  The parameter `-c` specifies the
     32 `RAID` level for our volume, `C` is a `CRYPTO` volume.  `-l sd3` specifies the
     33 _chunk device_ to use.  And `softraid0` is the `softraid(4)` device.
     34 
     35     # bioctl -c C -l sd3a softraid0
     36 
     37 That will ask for password twice and it will respond with the new created
     38 device:
     39 
     40     softraid0: CRYPTO volume attached as sd4
     41 
     42 We can "clear" the new device filling it with zeros, initialize the device and
     43 create a partition (`i` in this case, usually reserved to partitions outside
     44 the disklabel, like MS-DOS partitions).
     45 
     46     # dd if=/dev/zero of=/dev/rsd4c bs=1m count=1
     47     # fdisk -iy sd4
     48     # disklabel -E sd4
     49 
     50 Create now the file system on the new partition and mount it:
     51 
     52     # newfs sd4i
     53     # mount /dev/sd4i /mnt/secretstuff
     54 
     55 To remove the device, unmount it and then detach the crypto device:
     56 
     57     # umount /mnt/secretstuff
     58     # bioctl -d sd4
     59 
     60 In order to mount the device again, you have to attach it again with the same
     61 command you used to create the crypto device, and then mount it:
     62 
     63     # bioctl -c C -l sd3a softraid0
     64     # mount /dev/sd4i /mnt/secretstuff
     65 
     66 Remember to unmount and detach before removing it.
     67 
     68 [1]: https://www.openbsd.org/faq/faq14.html#softraid
     69 [2]: https://man.openbsd.org/bioctl.8