Title: Encrypt a USB flash drive on OpenBSD.
Author: paco
Date: 2019-08-24
Type: article
This are some notes to encrypt a USB flash drive on OpenBSD, is taken from the
[OpenBSD FAQ][1] just with a bit more explanation so I can remember what's all
about.
Of course, you should not trust anything I say here and check [bioctl(8)][2] man
page and the already mentioned FAQ.
On this example we assume the USB drive is `sd3`. All commands have to be
executed by `root` (hence the `#`) or using `doas(1)`.
The first time, to create the encrypted drive, it is recommended to write
random data to the disk.
# dd if=/dev/urandom of=/dev/rsd3c bs=1m
Then partition the disk (`-i` reinitializes the partition table and `-y`
answers yes to all prompts).
# fdisk -iy sd3
After that create a partition of type `RAID` with `disklabel(8)`. This command
is interactive, check the man page for that. Is quite easy.
# disklabel -E sd3
Now you can create the encrypted volume. The parameter `-c` specifies the
`RAID` level for our volume, `C` is a `CRYPTO` volume. `-l sd3` specifies the
_chunk device_ to use. And `softraid0` is the `softraid(4)` device.
# bioctl -c C -l sd3a softraid0
That will ask for password twice and it will respond with the new created
device:
softraid0: CRYPTO volume attached as sd4
We can "clear" the new device filling it with zeros, initialize the device and
create a partition (`i` in this case, usually reserved to partitions outside
the disklabel, like MS-DOS partitions).
# dd if=/dev/zero of=/dev/rsd4c bs=1m count=1
# fdisk -iy sd4
# disklabel -E sd4
Create now the file system on the new partition and mount it:
# newfs sd4i
# mount /dev/sd4i /mnt/secretstuff
To remove the device, unmount it and then detach the crypto device:
# umount /mnt/secretstuff
# bioctl -d sd4
In order to mount the device again, you have to attach it again with the same
command you used to create the crypto device, and then mount it:
# bioctl -c C -l sd3a softraid0
# mount /dev/sd4i /mnt/secretstuff
Remember to unmount and detach before removing it.
[1]: https://www.openbsd.org/faq/faq14.html#softraid
[2]: https://man.openbsd.org/bioctl.8