OpenBSD: RAID1 (Mirror) with Full Disk Encryption

This is a theoretical approach to install OpenBSD server on two physical disks in software RAID1 (mirror) having the logical (root) partition encrypted aka full disk encryption. Unfortunately, this approach is not supported as yet…

The Idea

With limited resources (money), having a hardware RAID may not seem to be an option. Beside money, there are also other issues with HW RAID solutions such as incompatibility among different vendors, even among the same vendor and same cards, but with different firmwares, etc. Therefore, a software RAID seems to be an option here. OpenBSD supports both HW and SW RAID (HW compatibility needs to be verified though!)

Risk of theft of physical disks may not be low, when considering the destination HW to be a laptop (just an example). Therefore, full disk encryption seems to be the right choice. OpenBSD supports full disk encryption.

Combination of both; however, has been a no go ever since. Stefan Sperling confirms that, quote: “Disciplines cannot be nested yet! So no CRYPTO on top of RAID 1, for instance.

A Brief Draft to Accomplish “The Idea”

A briefly commented step-by-step approach to install OpenBSD (tested with version 6.0) in VirtualBox.

    Welcome to the OpenBSD/i386 X.X installation program.
    (I)nstall, (U)pgrade, (A)utoinstall or (S)hell?

Choose (S)hell to escape to shell.

Create Device Nodes

Generally, only the first node is created, i.e. sd0. The rest needs to be created manually.

# cd /dev
# for i in 1 2 3; do sh MAKEDEV sd$i; done
# cd /

Create a RAID 1 Volume

First, delete the disks (will damage data), create MBR on both disks, and create RAID partition on both disks using the disklabel tool. Eventually, use bioctl to set up the RAID 1 policy. Again, delete the first MB of data to make sure the OS will read it properly.

# dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
# dd if=/dev/zero of=/dev/rsd1c bs=1m count=1
# fdisk -iy sd0
# fdisk -iy sd1
# echo -n "z\na\n\n\n\nRAID\nw\nq\n" | disklabel -E sd0
# disklabel sd0 > layout && disklabel -R sd1 layout && rm layout
# bioctl -c 1 -l sd0a,sd1a softraid0
# dd if=/dev/zero of=/dev/rsd2c bs=1m count=1

Create a SWAP and a Crypto Partitions

First, create a MBR on the logical (RAID) disk. Set up the first (b) partition as SWAP (e.g. 2GB large), and the second (a) as RAID (the disk remainder). Initialize the latter one with bioctl again (notice the -c value to be C, which represents an encrypting discipline.) Configure an appropriate password. Eventually, reset the new logical (and encrypted) partition, set it up as MBR, create a single large partition (a) and format it accordingly using the newfs command.

# fdisk -iy sd2
# echo -n "z\na b\n\n2G\n\na a\n\n\nRAID\nw\nq\n" | disklabel -E sd2
# bioctl -c C -r 987654 -l sd2a softraid0
# dd if=/dev/zero of=/dev/rsd3c bs=1m count=1
# fdisk -iy sd3
# echo -n "z\na\n\n\n\n\nw\nq\n" | disklabel -E sd3
# newfs sd3a

Install the System

The installation process is pretty much straightforward, execute the following command and follow the questions/instructions accordingly.


Note: When asked for a root partition

Available disks are sd0 sd1 sd2 sd3.
Which disk is the root disk? ('?' for details) [sd0]

Select sd3.

The Error

The above process ends up with the following error, only to confirm Stefan Sperling’s words.

installboot: invalid boot record signature (0x0000) @ sector 0

Failed to install bootblocks.
You will not be able to boot OpenBSD from sd3


Hopefully, the OpenBSD developers can make this possible soon. I wish I could have helped them. I am no developer though :-/


I received the following feedback from Yary Hluchan. I have not tested it yet though. Anyway, cheers mate! 🙂
It can be fixed by issuing “cd /dev; sh MAKEDEV sd2” after making the RAID- that is, after running bioctl. In your case, you would also run it again after making sd3. It adds the /dev/rsd* devices — even though the sd* devices may already be in /dev.

From what I read, you can layer, I recall seeing a recipe for a soft RAID10 in OpenBSD. Not sure if layering would work for a boot volume.

This entry was posted in BSD, Security, Server and tagged , , , , , , . Bookmark the permalink.