add keydisk to FDE FAQ

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

add keydisk to FDE FAQ

quisquous
Here's a patch to add instructions for using a keydisk to the FAQ, as
promised: https://marc.info/?l=openbsd-bugs&m=150776298218879&w=2

I tried refactoring to reduce the redundancy between the passphrase and
keydisk methods in the FAQ, but it came out more difficult to read, so I
went with being clearer but more verbose.

diff --git faq/faq14.html faq/faq14.html
index 545083781..a4ec26bb5 100644
--- faq/faq14.html
+++ faq/faq14.html
@@ -749,6 +749,146 @@ Which disk is the root disk? ('?' for details) [sd0] <b>sd1</b>
 You will be prompted for the passphrase on startup, but all other operations
 should be handled transparently.
 
+<h4 id="softraidFDEkeydisk">Using a Keydisk</h4>
+
+As an alternative to using a passphrase, its possible to use a key stored on a
+separate disk (i.e. a USB stick) to unlock your encrypted disk. Let's start
+over and this time we'll use a "keydisk":
+
+<p>
+Select (S)hell at the initial prompt.
+
+<blockquote><pre>
+Welcome to the OpenBSD/amd64 X.X installation program.
+(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? <b>s</b>
+</pre></blockquote>
+
+From here, you'll be given a shell within the live environment to manipulate
+the disks.
+For this example, we will install to the <tt>sd0</tt> SATA drive, erasing all
+of its previous contents.
+You may want to write random data to the drive first with something like the
+following:
+
+<blockquote><pre>
+# <b>dd if=/dev/random of=/dev/rsd0c bs=1m</b>
+</pre></blockquote>
+
+This can be a very time-consuming process, depending on the speed of your
+CPU and disk, as well as the size of the disk.
+If you don't write random data to the whole device, it may be possible for an
+adversary to deduce how much space is actually being used.
+
+<p>
+Next, we'll initialize the disk with
+<a href="https://man.openbsd.org/fdisk">fdisk(8)</a> and create the softraid
+partition with <a href="https://man.openbsd.org/disklabel">disklabel(8)</a>.
+
+<p>
+If you're booting from MBR, do:
+
+<blockquote><pre>
+# <b>fdisk -iy sd0</b>
+</pre></blockquote>
+
+If you use GPT for UEFI booting, do:
+
+<blockquote><pre>
+# <b>fdisk -iy -g -b 960 sd0</b>
+</pre></blockquote>
+
+Next, create the partition layout:
+
+<blockquote><pre>
+# <b>disklabel -E sd0</b>
+Label editor (enter '?' for help at any prompt)
+> <b>a a</b> <!-- sparc64 users MUST use 'a a' here -->
+offset: [64]
+size: [39825135] <b>*</b>
+FS type: [4.2BSD] <b>RAID</b>
+> <b>w</b>
+> <b>q</b>
+No label changes.
+</pre></blockquote>
+
+We'll use the entire disk, but note that the encrypted device can be
+split up into multiple partitions as if it were a regular hard drive.
+
+<p>
+Next, we'll setup a keydisk. We'll use the <tt>sd1</tt> SATA drive for our
+keydisk in this example, erasing all of its previous contents.  Since the
+installer does not have many device nodes by default, we'll make sure the
+<tt>/dev/sd1</tt> and <tt>/dev/sd2</tt> devices are there, because we need
+them for this example.
+
+<blockquote><pre>
+# <b>cd /dev && sh MAKEDEV sd1 sd2</b>
+</pre></blockquote>
+
+The installer expects the keydisk to have room set aside for a copy of the
+boot blocks (too), so if you're booting from MBR, do:
+
+<blockquote><pre>
+# <b>fdisk -iy sd1</b>
+</pre></blockquote>
+
+If you use GPT for UEFI booting, do:
+
+<blockquote><pre>
+# <b>fdisk -iy -g -b 960 sd1</b>
+</pre></blockquote>
+
+Then create the partition layout for the keydisk, with a 1 MB RAID partition for
+the key data:
+
+<blockquote><pre>
+# <b>disklabel -E sd1</b>
+Label editor (enter '?' for help at any prompt)
+> <b>a a</b>                    <!-- sparc64 users MUST use 'a a' here -->
+offset: [64]
+size: [1741795] <b>1M</b>
+FS type: [4.2BSD] <b>RAID</b>
+> <b>w</b>
+> <b>q</b>
+No label changes.
+</pre></blockquote>
+
+<p>
+Now we can build the encrypted device on our "a" partition. This time we'll
+use the -k option to use our keydisk instead of a passphrase.
+
+<blockquote><pre>
+# <b>bioctl -c C -k sd1a -l sd0a softraid0</b>
+sd2 at scsibus3 targ 1 lun 0: &lt;OPENBSD, SR CRYPTO, 005&gt; SCSI2 0/direct fixed
+sd2: 19445MB, 512 bytes/sector, 39824607 sectors
+softraid0: CRYPTO volume attached as sd2
+</pre></blockquote>
+
+You won't be prompted to enter a passphrase (this time), because the keydisk
+was used instead.
+All data written to <tt>sd2</tt> will now be encrypted with AES in XTS mode.
+
+<p>
+As in the previous example, we'll overwrite the first megabyte of our new
+pseudo-device.
+
+<blockquote><pre>
+# <b>dd if=/dev/zero of=/dev/rsd2c bs=1m count=1</b>
+</pre></blockquote>
+
+Type <tt>exit</tt> to return to the main installer, then choose this new
+device as the one for your installation.
+
+<blockquote><pre>
+[...]
+Available disks are: sd0 sd1 sd2.
+Which disk is the root disk? ('?' for details) [sd0] <b>sd2</b>
+</pre></blockquote>
+
+Make sure your keydisk is plugged in at startup, or you'll see error messages
+and be unable to boot. If you lose your keydisk or it gets corrupted, you will
+lose access to your encrypted disk.
+
 <h3 id="softraidCrypto">Encrypting external disks</h3>
 
 This section explains how you might set up a cryptographic softraid volume

Reply | Threaded
Open this post in threaded view
|

Re: add keydisk to FDE FAQ

Theo Buehler-3
On Thu, Oct 12, 2017 at 11:39:22AM -0700, Scott Bonds wrote:
> Here's a patch to add instructions for using a keydisk to the FAQ, as
> promised: https://marc.info/?l=openbsd-bugs&m=150776298218879&w=2
>
> I tried refactoring to reduce the redundancy between the passphrase and
> keydisk methods in the FAQ, but it came out more difficult to read, so I
> went with being clearer but more verbose.

Thanks, but I'm sorry, I don't think this is the way to go: it is far
too long and repeats too many things verbatim from the password-based
FDE section.

If we are going to include a keydisk-based softraid section in the FAQ,
it should be very short and essentially only explain the few steps that
are different from the password-based case: how do I set up a keydisk
and perhaps show the bioctl command with its output.

Reply | Threaded
Open this post in threaded view
|

Re: add keydisk to FDE FAQ

quisquous
> Thanks, but I'm sorry, I don't think this is the way to go: it is far
> too long and repeats too many things verbatim from the password-based
> FDE section.

> If we are going to include a keydisk-based softraid section in the FAQ,
> it should be very short and essentially only explain the few steps that
> are different from the password-based case: how do I set up a keydisk
> and perhaps show the bioctl command with its output.

Thanks for the feedback. I had a feeling you might say that. Here's a
shorter version:

diff --git faq14.html faq14.html
index 545083781..03a42e9d4 100644
--- faq14.html
+++ faq14.html
@@ -749,6 +749,30 @@ Which disk is the root disk? ('?' for details) [sd0] <b>sd1</b>
 You will be prompted for the passphrase on startup, but all other operations
 should be handled transparently.
 
+<h4 id="softraidFDEkeydisk">Using a Keydisk</h4>
+
+As an alternative to using a passphrase, its possible to use a key stored on a
+separate disk (i.e. a USB stick) to unlock your encrypted disk. To create a
+"keydisk" first use fdisk on your keydisk device to make room for the boot
+blocks, then create a small (i.e. 1 MB) RAID partition for the key data.
+
+When its time to encrypt your hard drive in the above example, use the -k
+option to specify where to put the key data. If your keydisk is <tt>sd1</tt>
+and the drive you want to encrypt is <tt>sd0</tt>, the output will look
+something like this:
+
+<blockquote><pre>
+# <b>bioctl -c C -k sd1a -l sd0a softraid0</b>
+sd2 at scsibus3 targ 1 lun 0: &lt;OPENBSD, SR CRYPTO, 005&gt; SCSI2 0/direct fixed
+sd2: 19445MB, 512 bytes/sector, 39824607 sectors
+softraid0: CRYPTO volume attached as sd2
+</pre></blockquote>
+
+You won't be prompted to enter a passphrase because you used a keydisk instead.
+Make sure your keydisk is plugged in at startup, or you'll see error messages
+and be unable to boot. If you lose your keydisk or it gets corrupted, you will
+lose access to your encrypted disk.
+
 <h3 id="softraidCrypto">Encrypting external disks</h3>
 
 This section explains how you might set up a cryptographic softraid volume