FDE on OpenBSD.Amsterdam opinionated VM

    

I ordered an opinionated VM on OpenBSD Amsterdam . And as any “Cloud” instances, it deserves Full Disk Encryption.

OBSD.ams provides VMs with unencrypted disks. This means the VM will be able to boot on its own in case the vmd(8) host reboots. As far as I could see from their Twitter account, there are not that much crashes. But the host would reboot from time to time (for system updates or upgrades). If that’s a problem, one should probably not use FDE ; or should be ready to connect to the console to enter the passphrase.

Order an opinionated VM

Browse to openbsd.amsterdam and click the “Book your VM” button.

Fill-in the textboxes and wait for the confirmation email. Use the email information to process to payment and log in to the brand new VM. Have a look at the onboard HTML page to learn about the final touches.

Get your credentials

Connect to the VM and get the randomly generated password. I can be used later on to switch to the root account.

# ssh <username>@<Your IPv4>
# tail ~/.ssh/authorized_keys
# exit

Enable FDE

There are no magic here. FDE can only be achieved at installation time. Have a look at the official OpenBSD guide before anything else. When done, proceed to the (re)installation.

Connect to the vmd(8) console.

# ssh -p <See port in email> <username>@<Your host>
# vmctl status <VM name>

Connect to the VM console and reboot using the “installation” kernel.

# vmctl console <VM name>

# reboot
(...)
boot> bsd.rd

Follow the path described in the FAQ.

(...)
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s

# cd /dev && sh MAKEDEV sd0
# dd if=/dev/urandom of=/dev/rsd0c bs=1m
# fdisk -iy sd0
# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
sd0> a a
offset: [64]
size: [104856191] *
FS type: [4.2BSD] RAID
sd0*> w
sd0> q
No label changes.

# bioctl -c C -l sd0a softraid0
New passphrase:
Re-type passphrase:
sd1 at scsibus1 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
sd1: 51199MB, 512 bytes/sector, 104855663 sectors
softraid0: CRYPTO volume attached as sd1

# cd /dev && sh MAKEDEV sd1
# dd if=/dev/zero of=/dev/rsd1c bs=1m count=1
# exit

Run the installation as usual. Select “sd1” when asked for the installation disk. When done, reboot.

Enter the passphrase. Log in, apply patches and tune starting daemons, then reboot.

# syspatch

# rcctl set ntpd flags -s
# rcctl restart ntpd

# rcctl stop sndiod
# rcctl disable sndiod

# reboot

There are known issues and tricks to apply. So far, I find the VM really responsive ; compared to the one I have on Vultr/FR and running on my Synology.

So here I am. (Tiny) Part of that great adventure. And loving it!