OpenBSD laptops... encrypting /home with vnconfig

Date Written: Oct 30, 2009

This assumes that OpenBSD 4.6 or -current is installed on the laptop and there is a partition called /big.
If you already have a large /home partition with files in it, back them up and rename /home to /big.
Be sure to edit /etc/fstab to reflect the rename and create an empty /home as we'll need that for a mount point.

-----------------------------------------------------------------------

1. Create a random file that fills /big completely. This step may take a few hours.

     # cd /big && dd if=/dev/arandom of=secure.data

2. Create a salt file and put it in /etc or some other place you are likely to backup often.

     # dd if=/dev/arandom of=/etc/secure.salt count=1

3. Associate the virtual disk (svnd0) with the random file (secure.data) specify a strong passphrase.

     # vnconfig -v -c -K NUMBER -S /etc/secure.salt svnd0 /big/secure.data

4. Label the new virtual disk and run newfs on it.

     # disklabel -E svnd0 (create one large partition, nothing more)
     # newfs /dev/rsvnd0a

5. Finally, mount the partition to /home and you now have an encrypted /home to copy files back into.

     # mount /dev/svnd0a /home

-----------------------------------------------------------------------

* With normal use, to mount the encrypted virtual disk do this as root:

     # vnconfig -v -c -K NUMBER -S /etc/secure.salt svnd0 /big/secure.data
     # mount /dev/svnd0a /home

* To Unmount, do this:

     # umount /home
     # vnconfig -v -u svnd0

-----------------------------------------------------------------------

To automate this at boot time and shutdown, add the mount commands above to the
end of /etc/rc.local and the unmount commands to the end of /etc/rc.shutdown. Now,
you'll be prompted to enter your passphrase at each boot and at shutdown the encrypted
virtual disk will be cleanly unmounted automatically. If for some reason the virtual disk does
not cleanly unmount (battery dies), you may need to run fsck on it as root upon next boot...
after mounting, do this (fsck /dev/svnd0a).

-----------------------------------------------------------------------

* Notes

     The algorithm is blowfish, it's proven, free and fast. Be sure to backup the salt file.
     You can copy the random file (secure.data) and mount it on other OpenBSD computers provided you have
     the salt file (secure.salt) and you recall the rounds used (-K). Some people claim they notice a slow-
     down after encryption, but I cannot tell a difference.

     In order to decrypt, you need:

           * To know the number of rounds used.
           * To know the passphrase.
           * To possess the salt file.
   
Copyright 2009 Brad Tilley  brad@16systems.com