Encrypting Disk Partitions

[OpenBSD 4.6]

Table of Contents
  1. Partition
  2. vnode disk driver
  3. Partition Encryption Node
  4. New File System

Full disk encryption is not supported, and these notes review the use of the svnd device for configuring encrypted partitions.

First, install OpenBSD, creating and mounting the home partition as usual.

Now, as root, do the following (/dev/mntpointpart is your home partition throughout):


Pick a partition, or new drive we wish to encrypt.

Make sure it isn't mounted by using the following command.

umount /mntpoint

vnode disk driver

[ vnd(4), vnconfig(8) ]

The vnode disk driver supports associating the special file vnd_dev with a regular file, or partition.

For our example, we'll associate the safe vnode disk drive svnd0 to the physical partition.

vnconfig -k svnd0 /dev/DEVICE_PARTITION

Where DEVICE_PARTITION is a device partition such as sd0d or sd2f.

The above command-line will associate an encryption key with the device, you will be prompted for a password.

Encryption key:

We now have a vnode encrypted device at /dev/DEVICE_PARTITION.

Partition Encrypted Partition

Create partition a on the encrypted device

disklabel -E /dev/DEVICE_PARTITION

Where DEVICE_PARTITION is a device partition such as sd0d or sd2f.

New File System

Create a new filesystem on the encrypted node


Where DEVICE_PARTITION is a device partition such as sd0d or sd2f.

File System Table

Now, set up the /mntpoint partition in fstab:

/dev/DEVICE_PARTITION /mntpoint ffs rw,nodev,nosuid 1 0

Test that this configuration works by going:

    mount /mntpoint

The final step is to ensure that the encrypted node is associated with the partition on startup. First, we need to set the partition type to "unknown", or OpenBSD will complain that the type does not match fstab on startup. To do this run:

    disklabel -E /dev/DEVICE_PARTITION

Use the command interface to change the partition type. Now add a line like the following before the line that mounts /mntpoint in fstab:

    /dev/DEVICE_PARTITION /dev/svnd0c vnd rw,nodev,nosuid,-k 1 0

Reboot to test that this works. You should be prompted for a decryption password on startup.

OpenBSD will use your entered password and attempt to use it for decrypting the device, OpenBSD does not validate the password. If you enter your password incorrectly, the mount process will fail horribly and you will have to umount all the mount devices and remount manually.

Note that we have turned fsck off for both lines - this is necessary because fsck tries to run before the encrypted node is mounted.