How should one set up full-disk encryption on OpenBSD?

Is there a preferred method to set up full-disk encryption under OpenBSD, similar to dm-crypt under Linux?

I’m looking for full-disk encryption, as if someone were to steal my notebook they could potentially access the data stored on it. Another reason is that I’m not always next to my notebook, so someone could potentially compromise the integrity of my netbook. These are the two major issues which make me believe that full-disk encryption is important for me.


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

OpenBSD supports full-disk encryption only since OpenBSD 5.3. Earlier versions require a cleartext boot partition. I don’t know when the installer was modified to support direct installation to an encrypted partition (with the bootloader still unencrypted of course, because something has to decrypt the next bit).

There’s little use in encrypting the system partition anyway¹. So I suggest installing the system normally, then creating an encrypted filesystem image and putting your sensitive data (/home, parts of /var, perhaps a few files in /etc) there.

If you want to encrypt the system partition anyway (because you have some special use case, like some confidential software), and you didn’t install an encrypted system originally, here’s how you can do it.

Boot into your OpenBSD installation and create a file that will contain the encrypted filesystem image. Make sure to choose a reasonable size since it’ll be hard to change later (you can create an additional image, but you’ll have to enter the passphrase separately for each image). The vnconfig man page has examples (though they’re missing a few steps). In a nutshell:

dd if=/dev/urandom of=/ENCRYPTED.img bs=1m count=4096
vnconfig -k svnd0 /ENCRYPTED.img  # type your passphrase
{ echo a a; echo w; echo q; } | disklabel -E /svnd0  # create a single slice
newfs /dev/svnd0a
mount /dev/svnd0a /mnt
mv /home/* /mnt
umount /mnt
umount /dev/svnd0c

Add corresponding entries to /etc/fstab:
 /ENCRYPTED.img  /dev/svnd0c  vnd rw,noauto,-k
 /dev/svnd0a     /home        ffs rw,noauto

Add commands to mount the encrypted volume and the filesystem in it at boot time to /etc/rc.local:
echo "Mounting encrypted volumes:"
mount /dev/svnd0c
fsck -p /dev/svnd0a
mount /home

Check that everything is working correctly by running these commands (mount /dev/svnd0c && mount /home).

Note that rc.local is executed late in the boot process, so you can’t put files used by the standard services such as ssh or sendmail on the encrypted volume. If you want to do that, put these commands in /etc/rc instead, just after mount -a. Then move the parts of your filesystem you consider to be sensitive and move them to the /home volume.

mkdir /home/etc /home/var
mv /etc/ssh /home/etc
ln -s ../home/etc/ssh /home/etc
mv /var/mail /var/spool /home/var
ln -s ../home/var/mail ../home/var/spool /var

You should encrypt your swap as well, but OpenBSD does that automatically nowadays.

The newer way to get an encrypted filesystem is through the software raid driver softraid. See the softraid and bioctl man pages or Lykle de Vries’s OpenBSD encrypted NAS HOWTO for more information. Recent versions of OpenBSD support booting from a softraid volume and installing to a softraid volume by dropping to a shell during the installation to create the volume.

As far as I can tell, OpenBSD’s volume encryption is protected for confidentiality (with Blowfish), not for integrity. Protecting the OS’s integrity is important, but there’s no need for confidentiality. There are ways to protect the OS’s integrity as well, but they are beyond the scope of this answer.

Method 2

Softraid with the CRYPTO discipline was intended by the OBSD designers to support full-disk encryption. There was another method as well with SVND that is now deprecated.

Method 3 is basically a graphical how-to of softraid full disc encryption. Of course never blindly follow guides and make sure all the bioctl settings are correct.

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments