In a recent conversation, the topic of encrypted disks on OpenBSD came up, and how to have multiple FDE disks while only needing to enter a passphrase once. If you install to a FDE root, and then follow the official instructions for setting up FDE on your additional drive(s), you'll likely end up needing to enter your passphrase multiple times during boot, once for each drive or provide a key-disk. Thus began the quest to document how to unlock the root disk with a single passphrase and then have the other disk(s) unlock automatically.

This assumes you've already configured the first boot-drive with FDE using the installer.

Get a quiesced system

To begin with, make sure that all drives are attached and you have rebooted into the system to ensure drive-naming quiesces. I found that using a USB drive as my $ENCRYPTED_DISK led to it being "sd2" after initially plugging it in, but "sd0" upon rebooting. You want to ensure stable naming.

Initial setup

root@openbsd# KEYFILE=/root/keyfile
root@openbsd# ENCRYPTED_DISK=sd2
root@openbsd# DEST=/mnt/data

root@openbsd# OLD_UMASK=$(umask)
root@openbsd# umask 077
root@openbsd# tr -dc a-zA-Z0-9 < /dev/urandom |
fold -256 |
head -1 > $KEYFILE
root@openbsd# umask $OLD_UMASK

Disk setup

WARNING: this will destroy the data on $ENCRYPTED_DISK!

Use fdisk and disklabel to create a full-disk-spanning "a" partition of type "RAID":

root@openbsd# dd if=/dev/urandom of=/dev/r${ENCRYPTED_DISK}c bs=1m
root@openbsd# fdisk -iy $ENCRYPTED_DISK
root@openbsd# disklabel -E $ENCRYPTED_DISK
sd2>  a
partition to add: [a]
offset: [64]
size: […]
FS type: [4.2BSD] RAID 
sd2*>  q
Write new label?: [y]

Next, create the encrypted drive ("sd3" here as reported from bioctl output):

root@openbsd# dd if=/dev/urandom of=/dev/r${ENCRYPTED_DISK}c bs=1m
softraid0: CRYPTO volume attached as sd3

Now let's prepare that resulting disk for usage. You can use disklabel to partition it however you want, but for the example here, we'll just create a single big "a" partition.

root@openbsd# DECRYPTED_DISK=sd3
root@openbsd# dd if=/dev/zero of=/dev/r${DECRYPTED_DISK}c bs=1m count=1
root@openbsd# fdisk -iy $DECRYPTED_DISK
root@openbsd# disklabel -E $DECRYPTED_DISK
sd3> a
partition to add: [a]
offset: [64]
size: […]
FS type: [4.2BSD]
sd3*>  q
Write new label?: [y]
root@openbsd# newfs ${DECRYPTED_DISK}a

Repeat the newfs for other partitions if you created any.

Reproducing it on reboot

To re-engage things upon rebooting, we need to obtain the disk-id:

root@openbsd# DUID="$(disklabel $DECRYPTED_DISK | awk '$1 == "duid:"{print $2}')"
root@openbsd# echo $DUID
c001ba1dc0dedad5

With that, we can create entries in /etc/fstab:

root@openbsd# echo "${DUID}.a $DEST ffs rw,noauto,nodev,nosuid 0 0" >> /etc/fstab

You can remove the "nodev" and "nosuid" if you need those. Add additional entries if you created and formatted other partitions. At this point, you should be able to mount the decrypted drive:

root@openbsd# mount $DEST

Finally, add commands in /etc/rc.local to create the crypto device, and mount it at boot:

root@openbsd# cat >> /etc/rc.local <<EOF
bioctl -c C -p ${KEYFILE} -l ${ENCRYPTED_DISK}a softraid0
mount "$DEST"
EOF

If you have other partitions and fstab(5) entries, you can add additional mount(8) directives.

Finally you should be able to reboot into the new system, enter your main/root drive's password/passphrase, and yet have your second drive also unlocked during the boot process without needing to provide a second password/passphrase.

You can back up the $KEYFILE file by copying it to a USB drive, sending it to a remote machine, or using whatever backup methods you're currently using. Just ensure that you keep it secure. Otherwise, if your main/root drive goes down, you'll lose access to the second drive, too.