Full disk encryption on OpenBSD 5.3

Hammer vs. hard drive by Kenn Wilson

Full disk encryption is becoming (it should always have been) more popular. When your laptop gets stolen, a login password is only a minor inconvenience to a hacker trying to steal your identity. Pop in a live CD or USB stick with Knoppix or Backtrack (or in fact basically any Linux distribution) and all your information is there for the attacker to use to steal your identity, impersonate you online and perhaps even empty your bank accounts. By booting not into the installed operating system, but into their own, the computer obeys the attacker and any protection your login password could have offered is irrelevant as the installed operating system isn’t running. If an attacker has physical access to a machine and enough time, it becomes the attacker’s machine, but the data doesn’t have to become that attacker’s data. This is where full disk encryption comes in.

OpenBSD long ago tackled the problem of swap data persisting through reboots by introducing encrypted swap partitions. For swap, the Blowfish cypher is used, as it is strong, fast, with a big key space. Obviously, there’s a small speed penalty but in my opinion, definitely worth it for the added security. Encrypted swap was easier to implement than full disk encryption as swap isn’t actually needed until the system has already booted, or at least, once a considerable part of the system has been loaded. Full disk encryption though requires that the computer is able to boot using encrypted media so all the tools to decrypt the disk must be present in the boot loader. OpenBSD 5.3 is capable of booting from an encrypted disk, but it took a while to get here. For a full technical discussion on the problems see this blog post on Ciphertite.

If you’re looking for instructions on how to set up full disk encryption on OpenBSD 5.3, these are the instructions I used, and I recommend them.

After setting the system up, I realised that I’d had to come up with three (disk encryption, root user and local non-privileged user) secure easy-to-remember-hard-to-guess passwords that to be secure I was going to have to change regularly. Once my OpenPGP card arrives, I’ll be able to replace the root and local non-privileged user passwords with the smartcard and PIN but until then, I’ll have to make sure I can remember them.

Unfortunately, the ability to boot from encrypted media is only present on i386 and amd64 so my SPARC Classic is going to have to settle for an encrypted /home partition. I plan on using it only for the offline generation and storage of crypto keys so this isn’t really a big deal.