Encrypt a USB flash drive on OpenBSD.

2019-08-24

This are some notes to encrypt a USB flash drive on OpenBSD, is taken from the OpenBSD FAQ just with a bit more explanation so I can remember what's all about.

Of course, you should not trust anything I say here and check bioctl(8) man page and the already mentioned FAQ.

On this example we assume the USB drive is sd3. All commands have to be executed by root (hence the #) or using doas(1).

The first time, to create the encrypted drive, it is recommended to write random data to the disk.

# dd if=/dev/urandom of=/dev/rsd3c bs=1m

Then partition the disk (-i reinitializes the partition table and -y answers yes to all prompts).

# fdisk -iy sd3

After that create a partition of type RAID with disklabel(8). This command is interactive, check the man page for that. Is quite easy.

# disklabel -E sd3

Now you can create the encrypted volume. The parameter -c specifies the RAID level for our volume, C is a CRYPTO volume. -l sd3 specifies the chunk device to use. And softraid0 is the softraid(4) device.

# bioctl -c C -l sd3a softraid0

That will ask for password twice and it will respond with the new created device:

softraid0: CRYPTO volume attached as sd4

We can "clear" the new device filling it with zeros, initialize the device and create a partition (i in this case, usually reserved to partitions outside the disklabel, like MS-DOS partitions).

# dd if=/dev/zero of=/dev/rsd4c bs=1m count=1
# fdisk -iy sd4
# disklabel -E sd4

Create now the file system on the new partition and mount it:

# newfs sd4i
# mount /dev/sd4i /mnt/secretstuff

To remove the device, unmount it and then detach the crypto device:

# umount /mnt/secretstuff
# bioctl -d sd4

In order to mount the device again, you have to attach it again with the same command you used to create the crypto device, and then mount it:

# bioctl -c C -l sd3a softraid0
# mount /dev/sd4i /mnt/secretstuff

Remember to unmount and detach before removing it.

Have any comments ? Send an email to the comments address.