File: [local] / www / faq / faq14.html (download) (as text)
Revision 1.404, Wed Apr 3 19:59:04 2024 UTC (8 weeks, 2 days ago) by tj
Branch: MAIN
CVS Tags: HEAD
Changes since 1.403: +1 -1 lines
7.5 updates
|
<!doctype html>
<html lang=en id=faq>
<!-- If you make edits to any FAQ documents, please start each sentence
on a new line, and try to keep the general formatting consistent
with the rest of the pages -->
<title>OpenBSD FAQ: Disk Setup</title>
<meta charset=utf-8>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="../openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/faq/faq14.html">
<h2 id=OpenBSD>
<a href="../index.html">
<i>Open</i><b>BSD</b></a>
FAQ - Disk Setup
<small>
<a href="index.html">[FAQ Index]</a>
</small>
</h2>
<hr>
<ul>
<li><a href="#intro" >Disks and Partitions</a>
<li><a href="#fdisk" >Using fdisk</a>
<li><a href="#disklabel" >Disk Labels</a>
<li><a href="#BootAmd64" >The amd64 Boot Process</a>
<li><a href="#altroot" >Root Partition Backup (/altroot)</a>
<li><a href="#DupFS" >Duplicating Filesystems</a>
<li><a href="#Quotas" >Disk Quotas</a>
<li><a href="#foreignfs" >Accessing Other Filesystems</a>
<li><a href="#MountImage" >Mounting Disk Images</a>
<li><a href="#GrowPartition" >Growing Disk Partitions</a>
<li><a href="#softraid" >RAID and Disk Encryption</a>
<ul>
<li><a href="#softraidDI" >Installing to a Mirror</a>
<li><a href="#softraidFDE" >Full Disk Encryption</a>
<li><a href="#softraidCrypto">Encrypting External Disks</a>
</ul>
</ul>
<hr>
<h2 id="intro">Disks and Partitions</h2>
The details of setting up disks in OpenBSD vary between
<a href="../plat.html">platforms</a>, so you should read the instructions in
your platform's <code>INSTALL.<arch></code> file.
<h3>Drive Identification</h3>
On most platforms, OpenBSD handles mass storage with two drivers:
<ul>
<li><a href="https://man.openbsd.org/wd">wd(4)</a>:
IDE-like disks: IDE, SATA, MFM or ESDI disks, or a flash device, attached to
a <a href="https://man.openbsd.org/wdc">wdc(4)</a> or a
<a href="https://man.openbsd.org/pciide">pciide(4)</a> interface.
<li><a href="https://man.openbsd.org/sd">sd(4)</a>:
SCSI-like disks: Devices that utilize SCSI commands, USB disks, SATA disks
attached to an <a href="https://man.openbsd.org/ahci">ahci(4)</a> interface,
and disk arrays attached to a RAID controller.
</ul>
The devices are numbered by the order in which they are detected at boot time,
starting at zero.
So, the first IDE-like disk will be <code>wd0</code> and the third SCSI-like
disk will be <code>sd2</code>.
Note that OpenBSD will not necessarily number drives in the same order as your
boot ROM.
<h3>Partitions and Filesystems</h3>
The term "partition" can mean two different things in OpenBSD:
<ul>
<li>
<a href="https://man.openbsd.org/disklabel">disklabel(8)</a> partitions,
also called filesystem partitions.
<li>
<a href="https://man.openbsd.org/fdisk">fdisk(8)</a> partitions, sometimes
called Master Boot Record (MBR) partitions.
</ul>
All OpenBSD platforms use the disklabel program as the primary way to manage
filesystem partitions.
On the platforms that use fdisk, one MBR partition is used to hold all of the
OpenBSD filesystems.
This partition can be sliced into 16 disklabel partitions, labeled
<code>a</code> through <code>p</code>.
A few labels are special:
<ul>
<li><code>a</code>:
The boot disk's <code>a</code> partition is your root partition.
<li><code>b</code>:
The boot disk's <code>b</code> partition is usually a swap partition.
<li><code>c</code>:
The <code>c</code> partition is always the entire disk.
</ul>
To create a new filesystem on a disklabel partition, use the
<a href="https://man.openbsd.org/newfs">newfs(8)</a> command:
<pre class="cmdbox">
# <b>newfs sd2a</b>
</pre>
Thus, a device name plus a disklabel identify an OpenBSD filesystem.
For example, the identifier <code>sd2a</code> refers to the filesystem on the
<code>a</code> partition of the third <code>sd</code> device.
Its device files would be <code>/dev/sd2a</code> for the block device and
<code>/dev/rsd2a</code> for the raw (character) device.
Remembering whether a rarely used command needs a block or a character device
is difficult.
Therefore, many commands make use of the
<a href="https://man.openbsd.org/opendev">opendev(3)</a> function, which
automatically expands <code>sd0</code> to <code>/dev/rsd0c</code> or
<code>/dev/sd0c</code> as appropriate.
<h3 id="DUID">Disklabel Unique Identifiers</h3>
Disks are identified by Disklabel Unique Identifiers (DUIDs) in the
<a href="https://man.openbsd.org/fstab">fstab(5)</a> file by default.
DUIDs are 16 hex digit random numbers that are generated when a disklabel is
first created.
They are managed by the
<a href="https://man.openbsd.org/diskmap">diskmap(4)</a> device.
To display the DUIDs of all disks, do:
<pre class="cmdbox">
$ <b>sysctl hw.disknames</b>
hw.disknames=wd0:bfb4775bb8397569,cd0:,wd1:56845c8da732ee7b,wd2:f18e359c8fa2522b
</pre>
You can specify partitions on the disk by appending a period and the partition
letter.
For example, <code>f18e359c8fa2522b.d</code> is the <code>d</code> partition of
the disk
<code>f18e359c8fa2522b</code>
and will always refer to the same chunk of storage, no
matter what order the devices attached to the system, or what kind of interface
it is attached to.
If you put data on <code>wd2d</code>,
then later remove <code>wd1</code> from the system and reboot,
your data is now on <code>wd1d</code>, as your old <code>wd2</code> is now
<code>wd1</code>.
However, a drive's DUID won't change after boot.
<h2 id="fdisk">Using fdisk</h2>
The <a href="https://man.openbsd.org/fdisk">fdisk(8)</a> utility is used on some
platforms (i386, amd64 and macppc) to create a partition recognized by the
system boot ROM.
Normally, only one OpenBSD fdisk partition will be placed on a disk and that
partition will then be subdivided into disklabel partitions.
<p>
View your partition table with:
<pre class="cmdbox">
# <b>fdisk sd0</b>
Disk: sd0 geometry: 553/255/63 [8883945 Sectors]
Offset: 0 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
------------------------------------------------------------------------
0: 12 0 1 1 - 2 254 63 [ 63: 48132 ] Compaq Diag.
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
*3: A6 3 0 1 - 552 254 63 [ 48195: 8835750 ] OpenBSD
</pre>
Here, the OpenBSD partition (id <code>A6</code>) is marked with a <code>*</code>
to indicate that it is the bootable partition.
<p>
A totally blank disk will need to have the master boot record's boot code
written to the disk before it can boot.
Normally, all you need to do is:
<pre class="cmdbox">
# <b>fdisk -iy sd0</b>
</pre>
Alternatively, use the <code>reinit</code> or <code>update</code> commands in
interactive mode.
<p>
The <code>-e</code> flag starts interactive editing mode:
<pre class="cmdbox">
# <b>fdisk -e sd0</b>
Enter 'help' for information
fdisk: 1>
</pre>
Beware that <code>quit</code> saves changes and exits the program, while
<code>exit</code> exits without saving.
This is the opposite of what many people are now used to in other environments.
Note also that fdisk does not warn before saving the changes.
<p>
If your system has a maintenance or diagnostic partition, it is recommended that
you leave it in place or install it <b>before</b> installing OpenBSD.
<h2 id="disklabel">Disk Labels</h2>
Disk labels are used to manage OpenBSD filesystem partitions.
They contain certain details about your disk, such as drive geometry and
filesystem information, as described in depth in the
<a href="https://man.openbsd.org/disklabel.5">disklabel(5)</a> man page.
Use the <a href="https://man.openbsd.org/disklabel">disklabel(8)</a> command
to edit the labels.
<p>
This can help overcome some architectures' disk partitioning limitations.
For example, on i386, there are only four primary MBR partitions available.
With disk labels, one of these primary partitions contains all your OpenBSD
partitions, while the other three are still available for other operating
systems.
<p>
On platforms using fdisk, you should leave the first logical track unused, both
in disklabel and in fdisk.
For this reason, the default is to start the first partition at block 64.
<p>
Don't put swap at the very beginning of your disk on sparc64.
While Solaris often did that, OpenBSD requires the boot partition to be at the
beginning of the disk.
<h3>Recovering Partitions After Deleting the Disk Label</h3>
If you have a damaged partition table, there are various things you can attempt
to do to recover it.
<p>
A copy of the disklabel for each disk is saved in <code>/var/backups</code> as
part of the daily system maintenance.
Assuming you still have the <code>/var</code> partition, you can simply read the
output, and put it back into disklabel with the <code>-R</code> flag.
<p>
In the event that you can no longer see that partition, there are two options:
Fix enough of the disk so you can see it, or fix enough of the disk so that you
can get your data off.
The <a href="https://man.openbsd.org/scan_ffs">scan_ffs(8)</a> utility will look
through a disk to find partitions.
You can use the information it finds to recreate the disklabel.
If you just want <code>/var</code> back, you can recreate the partition for
<code>/var</code>, then recover the backed up label and add the rest from that.
The <a href="https://man.openbsd.org/disklabel">disklabel(8)</a> utility will
both update the kernel's understanding of the disklabel and attempt to write
the label to disk.
Therefore, even if the area of the disk containing the disklabel is unreadable,
you will be able to mount until the next reboot.
<h2 id="BootAmd64">The amd64 Boot Process</h2>
Details on the amd64 bootstrapping procedure are given in the
<a href="https://man.openbsd.org/boot_amd64">boot_amd64(8)</a> man page.
The boot process is as follows:
<ol>
<li>Master Boot Record (MBR) and GUID Partition Table (GPT).
The <a href="https://man.openbsd.org/fdisk">fdisk(8)</a> man page contains
the details.
<li>Partition Boot Record (PBR).
The first 512 bytes of the boot disk's OpenBSD partition contain the first
stage boot loader
<a href="https://man.openbsd.org/biosboot">biosboot(8)</a>.
It is installed by the
<a href="https://man.openbsd.org/installboot">installboot(8)</a> utility.
<li>Second stage boot loader <code>/boot</code>.
The PBR loads the <a href="https://man.openbsd.org/boot.8">boot(8)</a>
program which has the task of locating and loading the kernel.
</ol>
So, the very start of the boot process could look like this:
<pre class="cmdbox">
Using drive 0, partition 3. <b><- MBR</b>
Loading...... <b><- PBR</b>
probing: pc0 com0 com1 mem[638K 1918M a20=on] <b><- /boot</b>
disk: hd0+ hd1+
>> OpenBSD/amd64 BOOT 3.33
boot>
booting hd0a:/bsd 4464500+838332 [58+204240+181750]=0x56cfd0
entry point at 0x100120
[ using 386464 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993 <b><- Kernel</b>
The Regents of the University of California. All rights reserved.
</pre>
<h2 id="altroot">Root Partition Backup (/altroot)</h2>
OpenBSD provides an <code>/altroot</code> facility in the
<a href="https://man.openbsd.org/daily">daily(8)</a> scripts.
If the environment variable <code>ROOTBACKUP=1</code> is set in either
<code>/etc/daily.local</code> or root's
<a href="https://man.openbsd.org/crontab.5">crontab(5)</a>,
and a partition is specified in
<a href="https://man.openbsd.org/fstab">fstab(5)</a>
as mounting to <code>/altroot</code> with the mount options of <code>xx</code>,
every night the entire contents of the root partition will be duplicated to the
<code>/altroot</code> partition.
<p>
Assuming you want to back up your root partition to the partition specified
by the <a href="faq14.html#DUID">DUID</a> <code>bfb4775bb8397569.a</code>,
add the following to <code>/etc/fstab</code>
<pre class="cmdbox">
bfb4775bb8397569.a /altroot ffs xx 0 0
</pre>
and set the appropriate environment variable in <code>/etc/daily.local</code>:
<pre class="cmdbox">
# <b>echo ROOTBACKUP=1 >>/etc/daily.local</b>
</pre>
As the <code>/altroot</code> process will capture your <code>/etc</code>
directory,
this will make sure any configuration changes there are updated daily.
This is a "disk image" copy done with
<a href="https://man.openbsd.org/dd">dd(1)</a>
not a file-by-file copy, so your <code>/altroot</code> partition should be at
least the same size as your root partition.
Generally, you will want your <code>/altroot</code> partition to be on a
different disk that has been configured to be fully bootable should the primary
disk fail.
<h2 id="DupFS">Duplicating Filesystems</h2>
To duplicate everything under directory <code>/SRC</code> to directory
<code>/DST</code> with <a href="https://man.openbsd.org/dump">dump(8)</a> and
<a href="https://man.openbsd.org/restore">restore(8)</a>, do:
<pre class="cmdbox">
# <b>cd /SRC && dump 0f - . | (cd /DST && restore -rf - )</b>
</pre>
or use <a href="https://man.openbsd.org/tar">tar(1)</a>:
<pre class="cmdbox">
# <b>cd /SRC && tar cf - . | (cd /DST && tar xpf - )</b>
</pre>
<h2 id="Quotas">Disk Quotas</h2>
Quotas are used to place limits on the amount of disk space available to certain
users and groups.
<p>
Use the keywords <code>userquota</code> and <code>groupquota</code> to mark each
filesystem in <a href="https://man.openbsd.org/fstab">fstab(5)</a> on which you
want to enforce quotas.
By default, the files <code>quota.user</code> and <code>quota.group</code> will
be created at the root of those filesystems.
Here is an example <code>/etc/fstab</code> line:
<pre class="cmdbox">
0123456789abcdef.k /home ffs rw,nodev,nosuid,userquota 1 2
</pre>
To set the users' quotas, use
<a href="https://man.openbsd.org/edquota">edquota(8)</a>.
For example, issue
<pre class="cmdbox">
# <b>edquota ericj</b>
</pre>
and edit the soft and hard limits:
<pre class="cmdbox">
Quotas for user ericj:
/home: KBytes in use: 62, limits (soft = <b>1000000</b>, hard = <b>1500000</b>)
inodes in use: 25, limits (soft = <b>0</b>, hard = <b>0</b>)
</pre>
In this example, the soft limit is set to 1000000k, and the hard limit is set to
1500000k.
No limits on the number of inodes will be enforced, since the corresponding soft
and hard limits are set to 0.
Users who exceed their soft limit are warned and are given a grace period to get
their disk usage below their limits.
Grace periods can be set by using the <code>-t</code> option on
<a href="https://man.openbsd.org/edquota">edquota(8)</a>.
After the grace period is over, the soft limit is handled as a hard limit.
This usually results in an allocation failure.
<p>
Use <a href="https://man.openbsd.org/quotaon">quotaon(8)</a> to enable quotas:
<pre class="cmdbox">
# <b>quotaon -a</b>
</pre>
This will scan through <a href="https://man.openbsd.org/fstab">fstab(5)</a> and
enable quotas on the filesystems with quota options.
View quota statistics with <a href="https://man.openbsd.org/quota">quota(1)</a>.
<h2 id="foreignfs">Accessing Other Filesystems</h2>
Start with the <a href="https://man.openbsd.org/mount">mount(8)</a>
manual, which contains examples explaining how to mount some of the
most commonly used filesystems.
A partial list of
<a href="https://man.openbsd.org/?query=mount_&sec=8&apropos=1">
supported filesystems</a> and related commands can be obtained with:
<pre class="cmdbox">
$ <b>man -k -s 8 mount</b>
</pre>
Note that support may be limited to read-only operation.
<h2 id="MountImage">Mounting Disk Images</h2>
To mount a disk image in OpenBSD you must configure a
<a href="https://man.openbsd.org/vnd">vnd(4)</a> device.
For example, if you have an ISO image located at <code>/tmp/ISO.image</code>,
you would take the following steps to mount the image.
<pre class="cmdbox">
# <b>vnconfig vnd0 /tmp/ISO.image</b>
# <b>mount -t cd9660 /dev/vnd0c /mnt</b>
</pre>
Since this is an ISO 9660 image, as used by CDs and DVDs, you must specify
type of <code>cd9660</code> when mounting it.
<p>
To unmount the image and unconfigure the
<a href="https://man.openbsd.org/vnd">vnd(4)</a> device, do:
<pre class="cmdbox">
# <b>umount /mnt</b>
# <b>vnconfig -u vnd0</b>
</pre>
For more information, refer to
<a href="https://man.openbsd.org/vnconfig">vnconfig(8)</a>
and <a href="https://man.openbsd.org/mount">mount(8)</a>.
<h2 id="GrowPartition">Growing Disk Partitions</h2>
If an existing partition is followed by unallocated free space, you may
increase its size using the
<a href="https://man.openbsd.org/growfs">growfs(8)</a> utility.
Make sure the partition is not currently mounted.
Edit your partition table interactively with <code>disklabel -E sd0</code>
and modify the size of the partition using the <code>m</code> command.
Adjust the filesystem to use the entire partition with
<a href="https://man.openbsd.org/growfs">growfs(8)</a>:
<pre class="cmdbox">
# <b>growfs sd0h</b>
</pre>
Before the partition can be mounted again, its integrity must be checked
with <a href="https://man.openbsd.org/fsck">fsck(8)</a>:
<pre class="cmdbox">
# <b>fsck /dev/sd0h</b>
</pre>
<h2 id="softraid">RAID and Disk Encryption</h2>
The <a href="https://man.openbsd.org/bioctl">bioctl(8)</a> command
manages both hardware and software RAID devices via the
<a href="https://man.openbsd.org/bio">bio(4)</a> layer.
The <a href="https://man.openbsd.org/softraid">softraid(4)</a> subsystem
allows combining several OpenBSD
<a href="https://man.openbsd.org/disklabel">disklabel(8)</a>
partitions into a virtual <a href="https://man.openbsd.org/sd">sd(4)</a> disk.
This virtual disk is treated as any other disk.
<p>
<!-- XXXrelease - update if raid booting capabilities change -->
Supported softraid disciplines include the following:
<table class="zebra">
<thead>
<tr>
<th>Level
<th>Description
<th>Bootable on
</thead>
<tr>
<td>RAID0
<td>striping
<td>---
<tr>
<td>RAID1
<td>mirroring
<td>amd64, arm64, i386, riscv64, sparc64
<tr>
<td>RAID1C
<td>mirroring with disk encryption
<td>amd64, arm64, riscv64, sparc64
<tr>
<td>RAID5
<td>striping with floating parity
<td>---
<tr>
<td>CONCAT
<td>concatenating with no redundancy
<td>---
<tr>
<td>CRYPTO
<td>disk encryption
<td>amd64, arm64, i386, riscv64, sparc64
</table>
<p>
Disk setup may vary from platform to platform.
Note that "stacking" softraid modes is <b>not supported</b> at this time.
<h3 id="softraidDI">Installing to a Mirror</h3>
This section covers installing OpenBSD to a mirrored pair of hard drives,
and assumes familiarity with the <a href="faq4.html">installation process</a>.
<p>
Before using the install script, you will drop to a shell and set up a
<a href="https://man.openbsd.org/softraid">softraid(4)</a> device.
<p>
The install kernel only has a limited number of <code>/dev</code> entries
on boot, so you will need to manually create the required disk devices for
your softraid setup.
For example, if you need to support three
<a href="https://man.openbsd.org/sd">sd(4)</a> devices, the following could
be done from the shell prompt:
<pre class="cmdbox">
Welcome to the OpenBSD/amd64 7.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? <b>s</b>
# <b>cd /dev</b>
# <b>sh MAKEDEV sd0 sd1 sd2</b>
</pre>
The installer would now have full support for the <code>sd0</code>,
<code>sd1</code> and <code>sd2</code> devices.
If the <a href="faq4.html#FilesNeeded">sets</a> are to be installed from
a USB drive, don't forget to take that device into account too.
<p>
Next, initialize the disks with
<a href="https://man.openbsd.org/fdisk">fdisk(8)</a> and create RAID partitions
with <a href="https://man.openbsd.org/disklabel">disklabel(8)</a>.
<p>
If you're booting from MBR, do:
<pre class="cmdbox">
# <b>fdisk -iy sd0</b>
# <b>fdisk -iy sd1</b>
</pre>
If you use GPT for UEFI booting, do:
<pre class="cmdbox">
# <b>fdisk -gy -b 532480 sd0</b>
# <b>fdisk -gy -b 532480 sd1</b>
</pre>
Create the partition layout on the first device:
<pre class="cmdbox">
# <b>disklabel -E sd0</b>
Label editor (enter '?' for help at any prompt)
sd0> <b>a a</b>
offset: [64]
size: [39825135] <b>*</b>
FS type: [4.2BSD] <b>RAID</b>
sd0*> <b>w</b>
sd0> <b>q</b>
No label changes.
</pre>
Copy the partition layout to the second device:
<pre class="cmdbox">
# <b>disklabel sd0 > layout</b>
# <b>disklabel -R sd1 layout</b>
# <b>rm layout</b>
</pre>
Assemble the mirror with the
<a href="https://man.openbsd.org/bioctl">bioctl(8)</a> command:
<pre class="cmdbox">
# <b>bioctl -c 1 -l sd0a,sd1a softraid0</b>
scsibus1 at softraid0: 1 targets
sd2 at scsibus2 targ 0 lun 0: <OPENBSD, SR RAID 1, 005> SCSI2 0/direct fixed
sd2: 10244MB, 512 bytes/sec, 20980362 sec total
</pre>
This shows that we now have a new SCSI bus and a new disk, <code>sd2</code>.
This volume will be automatically detected and assembled when the system boots.
<p>
Even if you create multiple RAID arrays, the device name will always be
<code>softraid0</code>.
<p>
Because the new device probably has a lot of garbage where you expect
a master boot record and disklabel, zeroing the first chunk of it is
highly recommended.
Be <b>very careful</b> with this command; issuing it on the wrong device
could lead to a very bad day.
This assumes that the new softraid device was created as <code>sd2</code>.
<pre class="cmdbox">
# <b>dd if=/dev/zero of=/dev/rsd2c bs=1m count=1</b>
</pre>
You are now ready to install OpenBSD on your system.
Create all the partitions on your new softraid disk (<code>sd2</code> in the
example here) that should be there, rather than on <code>sd0</code> or
<code>sd1</code> (the non-RAID disks).
<p>
To check on the status of the mirror, issue the following command:
<pre class="cmdbox">
# <b>bioctl sd2</b>
</pre>
A nightly cron job to check the status might be a good idea.
<h4>Rebuilding a Mirror</h4>
When a drive failure happens, you will replace the failed drive, create the
RAID and other disklabel partitions, then rebuild the mirror.
Assuming your RAID volume is <code>sd2</code> and you are replacing the
failed device with <code>sd1m</code>, the following commands should work:
<pre class="cmdbox">
# <b>bioctl -R /dev/sd1m sd2</b>
</pre>
This can also be performed in
<a href="faq10.html#LostPW">single user mode</a>
or from the <a href="faq4.html#bsd.rd">ramdisk kernel</a>.
<h3 id="softraidFDE">Full Disk Encryption</h3>
Much like RAID, full disk encryption in OpenBSD is handled by the
<a href="https://man.openbsd.org/softraid">softraid(4)</a> subsystem and
<a href="https://man.openbsd.org/bioctl">bioctl(8)</a> command.
The OpenBSD installer provides a way to install to a fully encrypted disk,
using a passphrase to unlock it.
<p>
As an alternative to using a passphrase, it's also possible to use a key
stored on a separate device (e.g. a USB stick) to encrypt disks.
<p>
At the <code>(S)hell</code> prompt in the installer, initialize the keydisk
with <a href="https://man.openbsd.org/fdisk">fdisk(8)</a>, then use
<a href="https://man.openbsd.org/disklabel">disklabel(8)</a>
to create a 1 MB RAID partition for the key data.
If your keydisk is <code>sd1</code> and the drive you want to encrypt is
<code>sd0</code>, the output will look something like this:
<pre class="cmdbox">
# <b>bioctl -c C -k sd1a -l sd0a softraid0</b>
sd2 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 005> SCSI2 0/direct fixed
sd2: 19445MB, 512 bytes/sector, 39824607 sectors
softraid0: CRYPTO volume attached as sd2
</pre>
You won't be prompted to enter a passphrase because you used a keydisk instead.
The keydisk must be inserted at startup time.
<p>
You can back up and restore your keydisk using
<a href="https://man.openbsd.org/dd">dd(1)</a>:
<pre class="cmdbox">
# <b>dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img</b>
# <b>dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd1a</b>
</pre>
<h3 id="softraidCrypto">Encrypting External Disks</h3>
This section explains how to set up a cryptographic softraid volume
for an external USB drive.
An outline of the steps is as follows:
<ul>
<li>Overwrite the drive's contents with random data
<li>Create the desired RAID-type partition with
<a href="https://man.openbsd.org/disklabel">disklabel(8)</a>
<li>Encrypt the drive with
<a href="https://man.openbsd.org/bioctl">bioctl(8)</a>
<li>Zero the first megabyte of the new pseudo-partition
<li>Create a filesystem on the pseudo-device with
<a href="https://man.openbsd.org/newfs">newfs(8)</a>
<li>Unlock and <a href="https://man.openbsd.org/mount">mount(8)</a> the new
pseudo-device
<li>Access the files as needed
<li>Unmount the drive and detach the encrypted container
</ul>
A quick example runthrough of the steps follows, with <code>sd3</code> being
the USB drive.
<pre class="cmdbox">
# <b>dd if=/dev/urandom of=/dev/rsd3c bs=1m</b>
# <b>fdisk -iy sd3</b>
# <b>disklabel -E sd3</b> # make an "a" partition of type RAID
# <b>bioctl -c C -l sd3a softraid0</b>
New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sd4
# <b>dd if=/dev/zero of=/dev/rsd4c bs=1m count=1</b>
# <b>fdisk -iy sd4</b>
# <b>disklabel -E sd4</b> # make an "i" partition
# <b>newfs sd4i</b>
# <b>mkdir -p /mnt/secretstuff</b>
# <b>mount /dev/sd4i /mnt/secretstuff</b>
# <b>mv somefile /mnt/secretstuff/</b>
# <b>umount /mnt/secretstuff</b>
# <b>bioctl -d sd4</b>
</pre>
The same <a href="https://man.openbsd.org/bioctl">bioctl(8)</a> command used
to create the volume can be used to attach it later on.
![[BACK]](/icons/back.gif){kind=icon}
Return to faq14.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www / faq