OpenBSD 6.7 Server - Whole Disk Encryption Howto
The setup of the whole disk encryption takes 3 minutes, the tutorial will guide you through the whole installation process, though.
The tutorial assumes that the hard disk of the server has been already formatted.
The disk names on the used servers are sd0,sd0a and sd1. Change those to wd0, wd0a and wd1, if needed.
cd /dev
sh MAKEDEV sd0
fdisk -iy sd0
disklabel -E sd0
a
a
512
#Confirm with enter to use the whole remaining disk space
Enter
RAID
w
q
#bioctl changes or sets the disk password
bioctl -c C -l sd0a softraid0
<type in your password>
install
The following steps correspond to a standard install.
The X-Windows system wont be used, since we are running a headless server.
Do you expect to run the X Window System noSince the root account is a common attack target, it is recommended to disable the password based login for the root user and use a ssh key instead.
prohibit-password
Chosse sd1 in the next step.
Confirm the preselected choice [whole] with enter.
Use the Auto layout, confirm the preselected choice again.
After the disk layout configuration has been finished, confirm the question if you want to initialize the disk.
Which disk do you wish to initialize? [done] doneThe last step is the choice of sets. The download time took 20-25 minutes, while this tutorial has been written.
Location of sets? http
HTTP proxy URL? none
HTTP Server ? Use the preselected choice, in the tutorials case ftp.eu.openbsd.org
Server directory? Use the preselected choice, in the tutorials case pub/OpenBSD/6.7/amd6
Confirm the location of sets question with done
Location of sets? (cd0 disk http nfs or 'done') [done] doneAfter the message “Relinking to create unique kernel” appears the hint, that the OpenBSD install has finished successfully. You can now reboot the server.
If everything has gone well, you’ll be greated with the following login mask, after the reboot:
Type in your disk password and the server will start in a few seconds.