OpenBSD: Portable, Encrypted USB Install

OpenBSD: Portable, Encrypted USB Install

By Hatty Hacker | Hatty Hacking | 1 Sep 2021


OpenBSD: Portable, Encrypted USB Install

#openBaSeD

While many prefer the traditional BSD/Linux/Unix experience, I do not. The default installation process is highly limiting and tethers you to a specific device. Yeah, the system can be fine-tuned to your hardware, saving disk space from needless drivers that would underperform. However, most users care not for such trivialities anyways. What doth I mean?


Default Installs

With most instances, folks get their OSes via an install medium that is usually written with a "disk image" like those classic ISO or IMG files. Ya go to the OS website, click download, look for your target architecture, then click the blue link. Simple. Then you use a raw-disk utility such as rufus or dd to do a raw bit-by-bit copy of the disk image file and put it on your USB stick or CD. Granted, VMs are different, but those are just toys lest ye do virtualization on a Type-1 hypervisor...

Random blathering aside, folks use prebuilt disk images. They generally install those. Sometimes the installers can detect the hardware and only give you the drivers you need, doing the fancy work for you. Heck, most do. However, try taking the salvaged hard drive and plugging it into another computer on the same architecture. Yay, nothing works and I have to refactor my drivers!

Other OSes and distros can be lazy, and you get a pre-built, generic image. Full of drivers and cruft galore. You don't realize this, of course. You just use happily ever after until it craps out on ya or you distro-hop to the next hip thing. Alt-tech folks seem to like switching their software quite a bit (especially if it's free). But what if you want the software to remain consistent but the hardware to vary?


Portable Installs

The portable installation addresses the issue where you install to a disk that acts like a live USB/ISO. Imagine if your Arch, Ubuntu, and Debian live disks could save to that very device. Why do this? What if you're Terry Davis, without many options to run a computer all of a sudden? What if all you have is the local library PC? Then, you could have a USB with your OS of choice, assuming they haven't locked down booting off of an alternative medium.

The issue is that hardware varies like software. However, the sins of IBM and microShaft gave us: the 386-compatable line of PCs! Using DOS on a 386? No problem. On an x86? Yup. On amd64? Ppphhhbbbbt. Simple. On an ARM-Cortex v7 or RISC-V? Crap. For covering the majority of devices on the market today, an x86 (i386) system will nearly get them all.

You set up an i386 system with a generic collection of common drivers, including ones your current system doesn't need, and you can theoretically run it on most PCs/laptops. You just have to ensure your OS can dynamically load drivers so it will work on that machine. I have used both Arch Linux and Haiku to meet these needs, though opt out of x86 and go for amd64. This is because I prefer the freedom of power behind over 4G RAM, I tend to open too many web browser tabs...


Encrypted Installs

Every now and then, we all get a 'lil paranoid. We all scream obscenities like those 3-letter glowies are coming to get us, even when they're not. But maybe we have a snooty, sniveling, sinfully shoulder-surfing sister that constantly searches our stuff for something suspicious. Encryption works then. Maybe they can hack a bit and bypass basic OS security because windowze! Maybe they are a unix hacker and can spoof the user account to gain access to the files. At that point, just encrypt the drive.

With encrypted OSes, it's harder for a glowie sister to see stuff by default. You encrypt the whole partition your OS is on, you can guarantee it'll be hard to see what's on there without the lengthy passphrase. Corruptability, however... nah, not goin' dere. This is for privacy, mainly. Just make sure you practice proper privacy techniques when using your encrypted system, else ye be doing no good.


Pencryptable Installs

These are not default by nature. These are earned through hours of hacking and consulting stack overflow (or was that for software dev?). An encrypted, portable OS installation. Sounds magical. Like Tails, but not Tails. It's a USB drive. It's encrypted. It's your boot medium. That way you can smuggle some files from your school laptop and the malware scanner will not find out the naughties you've done.

These installs marry the best of portable installations with encrypted installations. Plus it makes you sound cool. For extra edge, using OpenBSD makes you pimp. "T'whhhhat's that? Ye plebz use-th the line-oooks? Bwha-ha-ha-ho! 'Tis naught whenst compared to mine encrypted-eth, porrtab-leh, OpenUSBSD (TM) setup!" However, the OpenBSD team rally makes things straightforward and simple, so you don't have to be a wizard to git-er-done.


Requirements

All you need: 2 USB drives, 1 openbsd install.img USB image file, 1 PC with 2 USB ports, and some know-how.

You don't want the cdrom.iso as it doesn't have a partition for EFI booting as neatly as the USB image. That's important, else you'll have to hack around later.


Setup

Boot the USB preloaded with the OpenBSD installer. We'll assume you have no other devices plugged in, so when it loads it will be sd0. Plug in your second, target USB. Chances are it will load as sd1 unless it is plugged in on boot. In that case, the numbers might switch. If you ever are in doubt, look at the blue-highlighted text from the kernel or try dmesg.

Break away from the install prompt with s, which will load a shell.

Make the devices accessible to the system with cd /dev ; sh MAKEDEV sd0 ; sh MAKEDEV sd1

You do these to set up encryption, filesystems, and other neat things that we'll do!

Set up your target USB (sd1) to have MBR with a small EFI-compatable partition on the disk with fdisk -iy -b 960 sd1

Now, setup partitions for the target (sd1) with disklabel -E sd1

Enter the following if you want one large encrypted partition aside the EFI one, you can partition how you desire:

a
<ENTER>
<ENTER>
<ENTER>
RAID
w
q

All that the above does is add a partition, we accept the default label (a), accept the default offset and size, change the target filesystem from 4.2BSD to RAID, then write and quit.
This will create the sd1a partition, the RAID fs that we need to encrypt. In OpenBSD, you need to use a RAID partition to encrypt data. The sd1c partition is the disk's size, while sd1i is the DOS/EFI partition.

Next, you set up the encryption for your target with bioctl -c C -l sd1a softraid0 which tells OpenBSD that this RAID partition is not really RAID so much as a single partition that's encrypted. This is all that OpenBSD supports in v6.9.

Enter the passwords and note the new disk that's given from bioctl, it will most likely be attached as something like sd2.

Return to the installer with install and continue as you normally would, at least until it asks for the target disk. It will list 3 options or so (depending on disks available), you should notice the encrypted partition mounted as a virtual disk (sd2). Specify that disk instead of the default (usually sd0 or the boot disk).

When it asks for partitioning scheme, use g to set it up as GPT. The MBR was taken care of already with fdisk earlier. After install, the MBR and EFI will decrypt and mount the RAID partition as a virtual disk. Then they can use GPT to load the sucker.

Set things up as desired, then install the sets from disk (assuming you downloaded the USB image with sets included). This is better than relying on internet for me, my DL kbps is SLOOOW!

Since we didn't mount the partition earlier, we type no then guide it to the installer device (sd0) and ensure the OpenBSD partition (a) is auto-mounted and leads to the sets. Generally pressing enter here does the lot after typing the initial "no".

Continue without verification, then instead of rebooting by default, you need to copy over the EFI loaders to your target device. Press s to return to the shell!

Initialize your target EFI partition (sd1i) with a DOS filesystem with newfs_msdos sd1i then mount the installer's EFI partition and the target's EFI partition. OpenBSD supplies 2 /mnt folders for this purpose!

mount /dev/sd0i /mnt
mount /dev/sd1i /mnt2

Copy over the EFI files with cp -r /mnt/* /mnt2 then ensure there is an /mnt2/efi/boot/ directory with the *.efi loaders. At that point, you can reboot the machine.

It should ask for the passphrase to decrypt the RAID partition, then boot the system like normal. It should work on EFI or BIOS systems, assuming that they support GPT and the architecture your installation targeted. From there, you do your common post-install diddlies, like fw_update. You may have to run fw_update on new devices to get the best collection of drivers needed. However, ensure you have internet.

Have fun evading your snooty, snooping sister's sinfully suspicious eyes and those glowies. Use some Vimcryption too, while you're at it...

Thanks for reading, and HattyHacking;

How do you rate this article?

7


Hatty Hacker
Hatty Hacker

Recreational programming and tech-xploration to everyday life and morel madness! Videos are campy and awkward on purpose. Also the official home of Fake News!


Hatty Hacking
Hatty Hacking

A deeper look into the videos by the Hatty Hacker (http://hattyhacker.com/).

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.