Install OpenBSD on dedibox with full-disk encryption

Step #0: choosing your server
OpenBSD is not officially supported, I can’t guarantee that this will work for you on any kind of server provides, however I’ve been running on OpenBSD there since 2008, only switching machines as they were getting a bit old and new offers came up.

Currently, I’m running two SC 2016 (SATA) and one XC 2016 (SSD) boxes, all three running OpenBSD reliably ever since I installed them.

Recently I’ve been willing to reinstall the XC one after I did some experiments that turned it into a FrankenBSD, so this was the right occasion to document how I do it for future references.

I wrote an article similar to this a few years ago relying on qemu to install to the disk, since then provided access to a virtual serial console accessed within the browser, making it much more convenient to install without the qemu indirection which hid the NIC devices and disks duid and required tricks.

The method I currently use is a mix and adaptation from the techniques described in to boot the installer, and the technique described in to setup the crypto slice.

Step #1: boot to rescue mode
The web console has a rescue mode which will essentially boot the server on a system running in RAM.

This usually allows you to unfuck a broken system by booting a Linux or FreBSD system, mounting disks, making appropriate changes to the disk, then rebooting back to the original system.

We will actually make use of this rescue mode to write an OpenBSD boot disk image at the beginning of the real disk, allowing us to reboot the server right into the OpenBSD intaller.
laptop$ ssh [email protected]
[email protected]:~$ wget
[email protected]:~$ sudo dd if=miniroot62.fs of=/dev/sda
[sudo] password for gilles:
9600+0 records in
9600+0 records out
4915200 bytes (4,9 MB, 4,7 MiB) copied, 0,116668 s, 42,1 MB/s
[email protected]:~$
You can then reboot back to normal mode and activate the serial console from the web console.

Step #2: boot to the installer
On the serial console, you will be greeted by the bootloader prompt. For some reason, every couple seconds a keystroke gets triggered by the interface causing the ‘n’ character to be inserted. It takes a bit of synchronization but you should be able to set tty to com1, getting rid of the keystroke and allowing proper output to the terminal:
boot> set tty com1
>> OpenBSD/amd64 BOOT 3.33
boot> boot
The bootloader will load a ramdisk kernel and drop you into the installer, which is our next step.

Step #3: prepare softraid 
Once the installer is started, drop immediately into a shell:
Welcome to the OpenBSD/amd64 6.2 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s
First of all, we need to rewrite the MBR after we messed it up with our miniroot trick:
# fdisk -iy sd0
Writing MBR at offset 0.
Then, we can enter the disklabel to setup a RAID slice and a swap slice, keeping in mind that swap is already encrypted by default on OpenBSD. The RAID slice will be used to setup softraid with the crypto discipline.
# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
> p M
OpenBSD area: 64-500103450; size: 244191.1M; free: 244191.1M
# size offset fstype [fsize bsize cpg]
c: 244198.3M 0 unused
> a
partition: [a]
offset: [64]
size: [500103386] 240000M
Rounding size to cylinder (16065 sectors): 491524676
FS type: [4.2BSD] RAID
> a
partition: [b]
offset: [491524740]
size: [8578710]
FS type: [swap]
> w
> q
No label changes.
Once this is done, we can use bioctl to setup the encrypted slice:
# bioctl -c C -r auto -l /dev/sd0a softraid0
New passphrase:
Re-type passphrase:
sd1 at scsibus1 targ 1 lun 0: SCSI2 0/direct fixed
sd1: 240002MB, 512 bytes/sector, 491524148 sectors
softraid0: CRYPTO volume attached as sd1
At this point, we’re ready to perform a regular install… on sd1, not sd0, beware,:
# install
At any prompt except password prompts you can escape to a shell by
typing '!'. Default answers are shown in []'s and are selected by
pressing RETURN. You can exit this program at any time by pressing
Control-C, but this can leave your system in an inconsistent state.

Terminal type? [vt220]
System hostname? (short form, e.g. 'foo') pocs

Available network interfaces are: em0 em1 vlan0.
Which network interface do you wish to configure? (or 'done') [em0]
IPv4 address for em0? (or 'dhcp' or 'none') [dhcp]
em0: DHCPDISCOVER - interval 1
em0: DHCPOFFER from (00:81:c4:f6:e9:17)
em0: DHCPACK from (00:81:c4:f6:e9:17)
em0: bound to -- renewal in 2147483647 seconds
IPv6 address for em0? (or 'autoconf' or 'none') [none]
Available network interfaces are: em0 em1 vlan0.
Which network interface do you wish to configure? (or 'done') [done]
Default IPv4 route? (IPv4 address or none) []
add net default: gateway
Using DNS domainname
Using DNS nameservers at

Password for root account? (will not echo)
Password for root account? (again)
Start sshd(8) by default? [yes]
Change the default console to com1? [yes]
Available speeds are: 9600 19200 38400 57600 115200.
Which speed should com1 use? (or 'done') [9600]
Setup a user? (enter a lower-case loginname, or 'no') [no] gilles
Full name for user gilles? [gilles]
Password for user gilles? (will not echo)
Password for user gilles? (again)
WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login? (yes, no, prohibit-password) [no]
What timezone are you in? ('?' for list) [Europe/Paris]
I insist again, you want to write to the new softraid-backed disk:
Available disks are: sd0 sd1.
Which disk is the root disk? ('?' for details) [sd0] sd1
No valid MBR or GPT.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]
Setting OpenBSD MBR partition to whole sd1...done.
The auto-allocated layout for sd1 is:
# size offset fstype [fsize bsize cpg]
a: 1.0G 64 4.2BSD 2048 16384 1 # /
b: 16.2G 2097216 swap
c: 234.4G 0 unused
d: 4.0G 36067392 4.2BSD 2048 16384 1 # /tmp
e: 29.5G 44455968 4.2BSD 2048 16384 1 # /var
f: 2.0G 106342848 4.2BSD 2048 16384 1 # /usr
g: 1.0G 110537152 4.2BSD 2048 16384 1 # /usr/X11R6
h: 10.0G 112634304 4.2BSD 2048 16384 1 # /usr/local
i: 2.0G 133605824 4.2BSD 2048 16384 1 # /usr/src
j: 6.0G 137800128 4.2BSD 2048 16384 1 # /usr/obj
k: 162.7G 150383040 4.2BSD 4096 32768 1 # /home
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a]

Just for the purpose of simplifying, I will create a custom layout with only a root slice, note that this is insecure and, unless you know what you’re doing you should avoid that as it exposes your system to a denial of service.

The swap slice is redundant with the one we already create along the RAID slice in sd0, so the options are either to stick with the auto layout or to create a custom layout that’s similar but without swap.

At the very very least, you want to isolate / from /tmp, /var, /usr and /home, though isolating it from /usr/local is not a bad idea.

Step #4: reboot to encrypted OpenBSD system
The root slice being encrypted, you’ll need to type your password every time you reboot.

Connect to the serial console, you should see the boot prompt asking for a password. The ‘n’ glitch is still around, so either you break out of password by typing enter so you can do the ‘set tty com1’ trick, or you do as I do and synchronize with the ‘n’ keystroke to delete it and type password really fast.

Bonus: further tightening your system
These are the few steps I immediately do to tighten up my systems furthers:

enable doas
The ‘gilles’ account I created at install is part of the ‘wheel’ group, which turns out to be exactly what the example doas.conf allows:
$ su
# cat /etc/examples/doas.conf |tail -1
permit keepenv :wheel
# cp /etc/examples/doas.conf /etc
# exit
$ doas sh
doas ([email protected]) password:
disable the root account
Now that ‘gilles’ can use doas we no longer ever need to authenticate as root, so disable it by setting the password to ‘*’. This will prevent ‘root’ from being usable directly or through su, yet if really needed ‘gilles’ can still doas su to obtain a shell running as user ‘root’:
# usermod -p'*' root

update system with syspatch
The brand new system may require some patches to be applied, the syspatch command written by [email protected] performs a binary patching of the system, then causes the kernel to be relinked using the KARL mechanism to shuffle objects order.

add my ssh public key to my ~/.ssh/authorized_keys
Password for accessing SSH are bad, copy the SSH public key generated on my laptop with ssh-keygen to the authorized_keys file of my account on the server:

disable password authentication within ssh
No reason to allow PasswordAuthentication anymore, disable in sshd_config and restart sshd

reboot so you boot on a brand new up-to-date system with latest stable kernel
# reboot
syncing disks... done
sd1 detached
Using drive 0, partition 3.
probing: pc0 com0 com1 mem[632K 2009M 14336M a20=on]
disk: hd0+ sr0*
>> OpenBSD/amd64 BOOT 3.33
boot> set tty com1
>> OpenBSD/amd64 BOOT 3.33
boot> boot

OpenBSD/amd64 ( (tty01)




Post a Comment

Previous Post Next Post