Home / Articles

Mount and unmount encrypted disk on OpenBSD

2017-04-22T19:24:00Z.

On OpenBSD, disks can be encrypted using bioctl(8) and the same program is used to decrypt the disk.

This article assumes you are using OpenBSD 6.1 and the disk to be mounted was encrypted using bioctl(8).

Check device name of disk

First connect the disk to the computer (in case it is a portable storage device), then run the following to check the device name:

dmesg

A line similar to the following should be shown at the bottom of the output:

sd1: 114473MB, 512 bytes/sector, 234441648 sectors

The line means the disk is available as sd1.

Check partitions on disk

Check the partitions on the disk by running the following as root:

disklabel -p g /dev/sd1c

The letter c means the whole disk.

Partition information similar to the following will be shown:

# /dev/sd1c:
type: SCSI
disk: SCSI disk
label: WDC WD1200BEVS-7
duid: 313a19595091cf1b
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 14593
total sectors: 234441648 # total bytes: 111.8G
boundstart: 64
boundend: 234436545
drivedata: 0

16 partitions:
#                size           offset  fstype [fsize bsize   cpg]
  a:           110.0G          3775275    RAID
  b:             1.8G               64    swap
  c:           111.8G                0  unused

The partition a is the encrypted partition (note the fstype column).

Attach and decrypt volume

Attach the encrypted volume by using bioctl(8) as root:

bioctl -c C -l /dev/sd1a softraid0

You will be asked to enter a passphrase to open and attach the volume. Once the encrypted volume is opened and attached successfully, a line similar to the following will be shown:

softraid0: CRYPTO volume attached as sd2

Check partitions in encrypted volume

Check the partitions in sd2 (the attached encrypted volume) as root:

disklabel -p g /dev/sd2c

Partition information similar to the following will be shown:

# /dev/sd2c:
type: SCSI
disk: SCSI disk
label: SR CRYPTO
duid: e88691b138a12b9c
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 14357
total sectors: 230660742 # total bytes: 110.0G
boundstart: 64
boundend: 230645205
drivedata: 0

16 partitions:
#                size           offset  fstype [fsize bsize   cpg]
  a:            10.0G               64  4.2BSD   2048 16384     1
  c:           110.0G                0  unused
  d:           100.0G         20980864  4.2BSD   2048 16384     1

Mount partitions in encrypted volume

Now mount the partition(s) as needed. For example, to mount /dev/sd2d to the /mnt/portable-drive directory, run the following as root:

mkdir /mnt/portable-drive

mount /dev/sd2d /mnt/portable-drive

Umount

To umount the partitions, first run the following as root:

umount /dev/sd2d

Then detach the encrypted volume by running the following as root:

bioctl -d sd2

References

• http://man.openbsd.org/OpenBSD-6.1/bioctl
• https://www.openbsd.org/faq/faq14.html
• http://geekyschmidt.com/2011/01/19/configuring-openbsd-softraid-fo-encryption