Setting up a FreeBSD/OpenBSD dual-boot with full disk encryption

A bit over a month ago, I bought my first refurbished laptop. Previously I used a ThinkPad (owned by the company I work for) for on-call duty. It’s running a Linux distro which would not be my first choice at all, it has a small screen and – it’s not my property. I wanted my own laptop and since we’re allowed to use whatever distro we prefer, I thought that I’d be going with Arch.

(I you’re just interested in the commands to enter, have a look at the end of this post where I put a list of them.)

*BSD in production

On a second thought: Why not use *BSD? For me it would mean going to use a *BSD desktop “in production” after only running it privately. Thanks to the great BSDNow! show I feel confident enough now to give it a try. The company that I work for is running some FreeBSD servers, too, so it’s not something entirely strange and unknown. I went with asking if using BSD for on-call was ok. The answer was what I expected: If I thought that it would work ok I should well try it. The only requirement was that I’d encrypt the disk (the same rule would apply to Linux, too, of course).

Next question: Which BSD to use? Since I’m just getting into *BSD, I’m not really familiar with all of them now. Net and Dragonfly would certainly be interesting, but since I need that box for work that’s not an option. I need something that I know enough to be able to work with. Of course it would be best if I could learn something at the same time… So, what’s the best way to learn more? Probably tracking -CURRENT! But what if something breaks? I cannot afford that. And which BSD to use anyway? I work with some FreeBSD servers, so more in-depth FreeBSD knowledge would make sense. Then again I’ve really come to like Puffy and all he stands for…

That would be a hard decision! Finally I decided not to decide – and to just install both instead. This also has the advantage of having a second system if either CURRENT should ever break!

Hardware: HP EliteBook

I bought an HP EliteBook 8470p. Why didn’t I go with Lenovo even though those are known to work best with *BSD and I obviously need something that seriously works? Well, there’s one reason for me: With the ThinkPads keyboards just totally suck. I have no idea who came up with that sad story of “Hey, let’s just put the Fn key where Ctrl belongs and vice versa!”. No idea whatsoever. But I know for sure that it drives me insane. No fun at all when you’re working on-call at four AM, barely awake, and nothing happens when you have to CTRL-C something quickly. I could never get used to it ever!

So for that very reason it had to be some other hardware. I had this older HP laptop that a friend sold me for a few bucks a while ago. I can’t remember which model exactly and cannot look it up since I don’t have it anymore. (When my mother’s old computer died as I was over on a visit, my father thought about replacing it with a Windows box since that’s the only thing that he knows. To avoid that, I set up said old HP laptop that I had with me as a replacement and gave it to her. She’s been using it happily since.) That laptop had been a pleasant experience when I had OpenBSD on it and so I decided to give that EliteBook a try.

It works fairly well for most things. On FreeBSD there was the problem with the Intel video driver but since I’m running 11-CURRENT video is all working great even when I quit X11. WiFi is detected according to dmesg but for some reason no iwn0 shows up if I run ifconfig. I didn’t have time to look into that further, however. On OpenBSD backlight gets turned off if I quit X and thus the screen is a bit dark then. Since I usually quit X to shut down the computer afterwards, anyway, that’s only a minor issue. WiFi is correctly detected and I confirmed it to work. Suspend works when I close the laptop but when it wakes up the keyboard does not work anymore. These are the only issues that I ran into so far.

What is the exact use case?

FreeBSD can use ZFS while OpenBSD cannot. I’m not sure if FreeBSD’s and OpenBSD’s UFS/FFS filesystems are compatible (I think OpenBSD’s implementation misses quite some of the newer features). The encryption methods used by the systems however are definitely not compatible. So it doesn’t matter anyway in this case and I’m free to choose whichever filesystem I want.

Since I’ll be compiling FreeBSD-CURRENT now and then (and in general plan to do some stuff that likes much memory to be available), I decided to go with UFS. Yes, there are scenarios where ZFS is simply overkill! There’s only one drive in the laptop, it’s not extremely big and it won’t hold any important data. I have no need any particular ZFS feature on that system, so going with UFS should be fine. (That plus the fact that I’m still reading Lucas’ and Jude’s excellent book on ZFS and intend to play with that filesystem on another machine)

Prior to version 5.9 (released after I originally wrote this), OpenBSD only really supported the MBR partitioning scheme so going with that was an easy choice. I’ll stick to it for now because I need some time to play with it first. I’m going to do everything again in a VM so I can take screenshots for this article.

Installing FreeBSD

The installation begins just like an ordinary FreeBSD install: Boot up the installer media and make your way through the setup questions. When the installer asks about the partitioning however, we’re going to do that by hand.

Choosing to partition by hand

The pure bourne shell is not very comfortable for interactive use, so it generally makes sense to use a more advanced shell (like tcsh) for convenience features like auto-completion. Should you not know which drives your machine has, camcontrol can help you. If you want to start with a clean drive, you can zero out everything with dd (when I bought my laptop it had Windows 7 on it that I wanted to get rid of).

Zeroing out the disk

If you’re not familiar with what partitions and slices are, you may want to have a look at an older post where I wrote up a little excursion about that topic.

First an MBR is created and then two slices are added to it. The first one gets 100 gigabytes, the other the rest (which is also 100 GB in my case). Both slices are created aligned to 4k sector size of the hard drive. Then a BSD disklabel is added in the first slice. After that, boot0 (a simple boot manager) is written on the drive and the standard bootcode into the first slice. Finally the first slice is marked as active for booting.

Slicing the disk

Now three partitions are created inside the BSD label: One for boot (which will hold the kernel and cannot be encrypted), one for swap and one for the system (which will be encrypted). Glabel is used to give these partitions a more meaningful name than ada0s1a and the like. Since the system partition will be encrypted, it makes sense to write some garbage all across it so that it is impossible to see which part holds data and which does not. This takes quite a while and you could of course skip this. As long as your patience lives up to paranoia, that little bit of extra security is worth the wait!

Creating and labeling BSD partitions

Next the system partition is initialized with GELI, one of FreeBSD’s two military grade encryption methods. I only use a passphrase to unlock but you can also use a key (or both) if you wish. After attaching the new GELI partition, a new GEOM provider, system.eli is available with the clear data for you (and your programs) to use.

Creating and attaching the GELI partition

Now it’s time to format the two data partitions (the swap partition does not need any formating). You could also use journaling UFS for the boot partition but it’s usually not necessary.

Creating filesystems

Copy over the boot directory and add two lines to loader.conf so that you’ll have the chance to unlock your GELI partition during system startup. What remains is writing a fstab. Notice that for some reason I’ve forgotten to put swap.eli in there on my screenshot (even though that’s what I have in my script). What this does is using a one-time key for your swap on each boot, thus making sure that any data that remains on the swap partition is useless once the system was powered down once. You do not have to initialize GELI for this. FreeBSD knows what to do when it sees swap.eli.

Mount the decrypted system partition on /mnt as that’s where the installer expects it. And don’t forget to create the clear directory as we demand that in fstab and the system would not boot up correctly if it was missing. Then exit the shell and continue with the installer.

Copying over /boot and writing loader.conf and fstab

Once the installation has finished, the installer will ask you if you wish to make any final modifications. Answer yes and it will drop you into a shell in a chroot of your new system. Delete /boot (that directory lives on the encrypted system partition and the bootloader could not find the kernel there anyway) and make it a symlink pointing to /clear/boot instead. This step is not actually required. But if you don’t do it, you won’t be able to update your system the normal way. If you want to only mount the real /boot by hand whenever you upgrade, that’s fine, too, of course.

Chosing to make final modifications

Exit the shell, reboot and remove the boot media. Then reboot. Your boot manager (boot0) will offer you two FreeBSD systems. Hit F1 to boot up FreeBSD. Don’t hit F2. There’s no system there, yet.

Installing OpenBSD

The OpenBSD installer is neither pretty nor does it offer any kind of menu system. However it is simple, effective and straight-forward. Choose to install OpenBSD, set your keymap, enter a hostname, configure the net and set a root password.

Hostname, network and password configuration

Choose to run an SSH server by default, whether to prepare the system for X11, if you want the display manager XDM to be started automatically. Create a user now or do so later. When asked for the timezone, give a ! instead to drop into a shell.

Going to a shell

If you don’t know your disks, look inside the dmesg for the name. Now use fdisk to change the type of the second partition from A5 (FreeBSD) to A6 (OpenBSD). Then use disklabel to create a swap partition and a main partition. Make absolutely sure that the later has the type RAID!

Partitioning for OpenBSD

Encrypt the new softraid with bioctl then exit the shell. Now enter the correct timezone and choose the newly created softraid for the installation! Dedicate the whole softraid disk to OpenBSD but edit the partitions to fit your need. You do not need a swap partition on the softraid because we created a separat one on the real disk, remember? For that reason, after OpenBSD formated the partitions you created, the installer will ask you if you want to add any other disks before you start the actual installation. You DO because there’s the swap area.

Preparing crypto softraid

Once the installer has finished, reboot the machine. Now the boot manager says “F1 – FreeBSD” and “F2 – BSD”. The second one is your OpenBSD. The manager knows only the partition type and has no clue which system is on there.

Plain text summary

Here’s what you could type in for the shell parts of both installers:

FreeBSD


In the partitioning shell:
tcsh
dd if=/dev/zero of=/dev/ada0 bs=1m
gpart create -s mbr ada0
gpart add -a 4k -t freebsd -s 98G ada0
gpart add -a 4k -t freebsd ada0
gpart create -s bsd ada0s1
gpart bootcode -b /boot/boot0 ada0
gpart bootcode -b /boot/boot ada0s1
gpart set -a active -i 1 ada0
gpart add -t freebsd-ufs -s 2G ada0s1
gpart add -t freebsd-swap -s 4G ada0s1
gpart add -t freebsd-ufs ada0s1
glabel label clear /dev/ada0s1a
glabel label swap /dev/ada0s1b
glabel label system /dev/ada0s1d
dd if=/dev/random of=/dev/label/system bs=1m
geli init -b -s 4096 -l 256 /dev/label/system
geli attach /dev/label/system
newfs /dev/label/clear
newfs -j /dev/label/system.eli
mount /dev/label/clear /media
cp -Rp /boot /media
echo 'vfs.root.mountfrom="ufs:/dev/label/system.eli"' >> /media/boot/loader.conf
echo 'geom_eli_load="YES"' >> /media/boot/loader.conf
echo '/dev/label/system.eli / ufs rw 1 1' >> /tmp/bsdinstall_etc/fstab
echo '/dev/label/swap.eli none swap sw 0 0' >> /tmp/bsdinstall_etc/fstab
echo '/dev/label/clear /clear ufs rw 1 1' >> /tmp/bsdinstall_etc/fstab
mount /dev/label/system.eli /mnt
mkdir /mnt/clear
exit
exit

In the "final modifications" chroot:

rm -r /boot
ln -s /clear/boot /mnt/boot

OpenBSD


i
de
puffy
em0
dhcp
none
done
password
no
yes
no
no
!
dmesg | grep [ws]d0
fdisk -e sd0
setpid 1
A6
quit
disklabel -E sd0
a b
ENTER
4G
swap
a a
ENTER
ENTER
RAID
w
q
bioctl -c C -l /dev/sd0a softraid0
exit
Europe/Berlin
sd1
whole
e
Your layout here
w
q
sd0
OpenBSD
w
q
done
http
none
openbsd.cs.fau.de
pub/OpenBSD/5.9/amd64
done
done

Craven New World – or how to ruin the net

Alright. I never expected to write about anything remotely “political” on my blog… It’s about technical things, right? Ok, ok, free software is “political” all by itself. Kind of. But that’s about it.

While at times I’m really sick of what happens on the world, that doesn’t fit well on a blog about computer topics. I admit that I was tempted two or three times to write something about all the blatant and ruthless lies against Russia and things like that. But this is not the right place for those topics. So I resisted. Then came July 1st…

I begun to write a full-sized rant on that day but in the end decided to drop it and re-think things when I got calm again. Since I’m still stunned and angry at the same time, I’ve simply got to write an article now nevertheless.

The one and only

In that morning I read about how Paypal froze ProtonMail’s account. While it is nothing new that Paypal freezes accounts, the rationale was quite interesting. ProtonMail is a provider of email services. What makes them stand out is that they are developing an easy-to-use email system that features end-to-end encryption.

Now it’s a well-known fact that there are powers out there who have no respect at all for your privacy. They want to know where you go, what you download and what you talk about when you mail grandma. You could be a dangerous villain, skilled to pretend the contrary after all – and if they can’t find out what color your underwear is, you might even get away with it!

From that point of view, encryption is… well, irritating to say the least. Which makes it a clear thing that ProtonMail sucks big time. How dare they help people who prefer to keep private things private? So Paypal froze their account, because that company “wasn’t sure whether ProtonMail had approval by the gouvernment” for their business. As a matter of fact, the US have quite a few strange laws. But that’s another thing and it’s perfectly fine if an American company doesn’t wish to assist another American company in doing something unlawful. Except – ProtonMail is not an American company… It’s based in Switzerland!

How can it be that a Swiss company would require US approval for their business? And it’s not even the first time that something like that happens. The USA has blackmailed Switzerland not too long ago. And with their “compliance” ideology they are choking many others, too. This is a very alarming and gross practice. But it is, I cannot repeat it often enough, nothing new.

Just hand it to us!

A while later I read about how Microsoft had just seized more than 20 domains owned by no-ip. This cut off almost two million users from using the no-ip service. And what was the reason for such a draconian action? Was the life of the president at stake? Nope. Was the whole country threatened by some ancient evil perhaps? Not really. It was far worse than that: Microsoft had found a judge which allowed the domain seizure because Microsoft claimed that there were two accounts involved in spreading malware…

This was the moment I had to take a look at the calendar just to make sure that I didn’t mess up things and it was actually April 1st! But no – unfortunately not.

I just want to add that I am not an no-ip user and wasn’t affected personally. But I know people who were – one was even affected enough to finally give Linux more room both for private use and in his company. So while the whole thing is pretty much insane it has its good sides, too. Especially since I expect more people to be really upset after what Microsoft did. Maybe they should rather spend their time fixing their own broken windows than throwing stones at other people’s business?

Oy vey, we want your money!

Ah, what a day. We had some news which were hard to believe if such things weren’t happening over and over again. Then there was some news which left me incredulously shaking my head. What Microsoft did was ludicrous and the fact that some judge ruled in their favor is downright absurd. That cannot possibly be surpassed, can it? Yes. Unfortunately it can.

The last news is just so completely off the scala, that I don’t find any words for it (even in my native language that is). While the Microsoft case makes you question your sanity, the other thing that happened makes you struggle for your faith in mankind. Seriously.

So what happened? Well. More or less this:

Group A (private individuals) who are citizens of
state B (Israel) mandate
organisation C (a jewish law firm) to sue
state D (shiit (!) theocracy Iran) in
state E (the USA) for alleged financial support of
organisation F (sunni (!) Hamas) who are accused of
action G (a terrorist attack) in
territory H (the Gaza stripe) which belongs to
state I (Palestine) as group A claims they have suffered from action G.

Now under normal circumstances you’d laugh at any weirdo who can come up with such an idea – let alone actually carry it out… When you’re finished laughing and wiped the tears out of your eyes, you wish him that he’ll find a good mental doctor.

The story is not over, however. The US court rules in favor of the claimant – and since Iran did what any sane person would do and denies this arrogant impertinence, there’s now the fine (like I said I’m at a loss for words) idea: distrainment of the Iranian TLD (.ir)!!

Come on! Distrain a TLD on the net? Seems like they are really working hard to ruin the net. Congratulations to all those bright people involved.

What’s the world coming to?

In my country (Germany) the phenomena of anti-americanism is on the rise. Many people are in rage because of what the NSA did (and without any doubt continues to do). This is a rather sad thing actually, but in many cases I agree with what people say. The US government is one of the most corrupted an unsound entities of the world. Yet – and that deserves to be emphasized – that doesn’t make all Americans warmongers or liars.

The government in my country is run by criminals as well and so I’m probably not in the best position to complain. After all former chancellor Schröder openly admitted (in one of the biggest newspapers of the country!) that the NATO bombings in Yugoslavia (which he supported) were against international law. By stating so he confessed to be a war criminal – and that had no consequences whatsoever. Funny, isn’t it? And still I’d admit any time that I think of him as a more “honest” person than current chancellor Merkel…

Action!

I’d really like to ask every and all Americans to try hard and reclaim their country. But there’s not too much people who value freedom can do right now. Yet there is one thing we can all do: Start using encryption. Yes, invest that half of an hour to teach your grandmother how to write and read encrypted mail. It’s not that hard.

You are telling me that you have nothing to hide? That’s great! Why? Simple: Same here. It’s great because it is this important little fact that makes us qualify to begin encrypting. Currently it makes you suspect if you use encryption. Well, I can live with that.

I also don’t mind if those who think they absolutely have to know what I mail my grandmother break the encryption. But if they want to, they may well invest quite a bit of effort. If they find it worth the time and resources to learn how much my children have grown since we last visited her, that’s fine for me. If everybody used encryption it would be a normal activity. Let’s aim for that!

So – what about you?