Friday July 2 2021
Adding Encrypted OpenBSD to Your Multi Boot Setup
The assumption here is that you have followed along with my previous article, or at least have a similar setup.
This post will require a bit of comfort with command line installers and the ability to read the OpenBSD FAQ thoroughly should anything not make sense.
Partly inspired by Theo’s recent mailing list post.
I just use the flash drive installation medium. Once the installer boots, drop to a shell.
Assuming sd0 is your installation drive, we’re going to utilize fdisk to
set up our partition table. The EFI partition is going to be reused, OpenBSD
will write the bootloader to EFI/Boot/bootx64.efi, so the BIOS should
be able to pick up on it if you boot to the disk itself. ( If not, we can
use Linux to add the EFI variable, which I will show in a bit )
# fdisk -e sd0
Enter 'help' for information
sd0: 1> p g
Disk: sd0 Usable LBA: 34 to 976773134 [466 Gigabytes]
GUID: 55555555-5555-5555-5555-555555555555
#: type [ start: size ]
guid name
------------------------------------------------------------------------
0: EFI Sys [ 2048: 0G]
18bbfac1-defb-40f0-be48-0accc245283e EFI system partition
1: e3c9e316-0b5c-4db8-817d-f92df00215ae [ 206848: 0G]
faa8a0c2-3d5c-455f-b19c-cd4db02eceb1 Microsoft reserved partition
2: FAT12 [ 239616: 250G]
3110013b-172c-604c-b839-b9bf7e049b76
3: Linux files* [ 524527616: 2G]
a527d4fb-f0e4-4149-922c-889fd33f86fd
4: Linux LVM [ 528721920: 150G]
4cd0ec04-80f1-be43-8468-55f3f03eb568
5: OpenBSD [ 843294720: 64G]
7b9447d2-b960-42cd-9055-9da00b515f75 OpenBSD Root
If you don’t know what disk is available, dmesg | grep sector may be helpful.
If fdisk complains there’s no device available:
cd /dev
sh MAKEDEV <device>
Where <device> is sd0 or so.
Interactive mode isn’t the most intuitive thing, you can add the 5th partition
by doing edit 5 and setting the partition type to A6 when you do.
From there we’re going to setup the disklabels on the OpenBSD partition for full disk encryption:
( You should read the OpenBSD FAQ on this as well )
# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
sd0> a a
offset: [64]
size: [131379488] *
FS type: [4.2BSD] RAID
sd0*> w
sd0> q
No label changes.
Now to setup the encryption device:
bioctl -c C -l sd0a softraid0
You may need to make the device node for sd1 or so as well just as above.
From there run through the OpenBSD installer as normal, instead use sd1
as the root disk. I personally setup only a single filesystem with OpenBSD
rather than splitting it up as is recommended:
$ doas disklabel -E sd1
Label editor (enter '?' for help at any prompt)
sd1> p
OpenBSD area: 64-131379570; size: 131379506; free: 18
# size offset fstype [fsize bsize cpg]
a: 131379488 64 4.2BSD 2048 16384 12960 # /
c: 131380735 0 unused
Grub / OS Prober breaks on Linux
This may happen to you, this isn’t a big deal as Windows should still have a UEFI entry to boot from, you just won’t see the entry in Grub anymore.
Windows asks for bitlocker recovery key on boot
Just suspend bitlocker for a few seconds and then click resume, should work just fine after a reboot.
OpenBSD doesn’t boot / No Boot entry for the disk
This is easily solved from Linux:
efibootmgr -c -p 1 -d /dev/sda -L OpenBSD -l /EFI/Boot/bootx64.efi
Replace /dev/sda with your disk of course. If for some reason your EFI
partition isn’t the first, replace it with the partition number of your EFI
partition.
Selecting each operating system can now be easily done from the BIOS boot menu.