Friday July 2 2021

Adding Encrypted OpenBSD to Your Multi Boot Setup

The assumption here is that you have followed along with my previous article, or at least have a similar setup.

This post will require a bit of comfort with command line installers and the ability to read the OpenBSD FAQ thoroughly should anything not make sense.

Partly inspired by Theo’s recent mailing list post.

I just use the flash drive installation medium. Once the installer boots, drop to a shell.

Assuming sd0 is your installation drive, we’re going to utilize fdisk to set up our partition table. The EFI partition is going to be reused, OpenBSD will write the bootloader to EFI/Boot/bootx64.efi, so the BIOS should be able to pick up on it if you boot to the disk itself. ( If not, we can use Linux to add the EFI variable, which I will show in a bit )

# fdisk -e sd0
Enter 'help' for information
sd0: 1> p g
Disk: sd0       Usable LBA: 34 to 976773134 [466 Gigabytes]
GUID: 55555555-5555-5555-5555-555555555555
   #: type                                 [       start:         size ]
      guid                                 name
   0: EFI Sys                              [        2048:            0G]
      18bbfac1-defb-40f0-be48-0accc245283e EFI system partition                
   1: e3c9e316-0b5c-4db8-817d-f92df00215ae [      206848:            0G]
      faa8a0c2-3d5c-455f-b19c-cd4db02eceb1 Microsoft reserved partition        
   2: FAT12                                [      239616:          250G]
   3: Linux files*                         [   524527616:            2G]
   4: Linux LVM                            [   528721920:          150G]
   5: OpenBSD                              [   843294720:           64G]
      7b9447d2-b960-42cd-9055-9da00b515f75 OpenBSD Root                        

If you don’t know what disk is available, dmesg | grep sector may be helpful. If fdisk complains there’s no device available:

cd /dev
sh MAKEDEV <device>

Where <device> is sd0 or so.

Interactive mode isn’t the most intuitive thing, you can add the 5th partition by doing edit 5 and setting the partition type to A6 when you do.

From there we’re going to setup the disklabels on the OpenBSD partition for full disk encryption:

( You should read the OpenBSD FAQ on this as well )

# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
sd0> a a      
offset: [64]
size: [131379488] *
FS type: [4.2BSD] RAID
sd0*> w
sd0> q
No label changes.

Now to setup the encryption device:

bioctl -c C -l sd0a softraid0

You may need to make the device node for sd1 or so as well just as above.

From there run through the OpenBSD installer as normal, instead use sd1 as the root disk. I personally setup only a single filesystem with OpenBSD rather than splitting it up as is recommended:

$ doas disklabel -E sd1
Label editor (enter '?' for help at any prompt)
sd1> p
OpenBSD area: 64-131379570; size: 131379506; free: 18
#                size           offset  fstype [fsize bsize   cpg]
  a:        131379488               64  4.2BSD   2048 16384 12960 # /
  c:        131380735                0  unused                    

Grub / OS Prober breaks on Linux

This may happen to you, this isn’t a big deal as Windows should still have a UEFI entry to boot from, you just won’t see the entry in Grub anymore.

Windows asks for bitlocker recovery key on boot

Just suspend bitlocker for a few seconds and then click resume, should work just fine after a reboot.

OpenBSD doesn’t boot / No Boot entry for the disk

This is easily solved from Linux:

efibootmgr -c -p 1 -d /dev/sda -L OpenBSD -l /EFI/Boot/bootx64.efi

Replace /dev/sda with your disk of course. If for some reason your EFI partition isn’t the first, replace it with the partition number of your EFI partition.

Selecting each operating system can now be easily done from the BIOS boot menu.