Installing OpenBSD with FDE on DigitalOcean

DigitalOcean doesn’t provide OpenBSD images, but they do provide images for FreeBSD. Here’s how to transform a FreeBSD droplet into an OpenBSD droplet with full disk encryption:

1. Boot a FreeBSD droplet.

2. Write the OpenBSD install file system onto disk:

   # fetch http://ftp.hostserver.de/pub/OpenBSD/5.8/amd64/miniroot58.fs
   # swapoff /dev/gpt/swapfs
   # sysctl kern.geom.debugflags=0x10
   # dd if=miniroot58.fs of=/dev/vtbd0 bs=512k
   

   (via tubsta.com)

3. Reboot the droplet, access the console, and press S to get into a shell.

4. Initialize a fresh MBR:

   # fdisk -iy sd0
   

5. Open the disk label editor:

   # disklabel -E sd0
   Disk type: SCSI
   

6. Set the boundary to cover the whole disk:

   > b
   Starting Sector: 0
   Size: *
   

7. Remove all labels:

   > z
   

8. Create label for swap:

   > a b
   offset: 0
   size: 1G
   type: swap
   

9. Create label for the encrypted softraid:

   > a a
   offset: 
   size: *
   type: RAID
   

10. Write the labels and quit the editor:

    > w
    > q
    

11. Create softraid with crypto mode:

    # bioctl -c C -l /dev/sd0a softraid0
    

12. Exit the shell and perform a regular OpenBSD installation on disk sd1. Don’t create a disk label for swap (we already have one).

13. Configure swap by first getting the DUID of sd0 and appending the line for swap to /etc/fstab:

    # disklabel sd0 | grep duid:
    duid: 6ea7d99b047d71ee
    # echo 6ea7d99b047d71ee.b none swap sw 0 0 >> /mnt/etc/fstab
    

14. Reboot into your new OpenBSD installation:

    # reboot
    

You’re now running OpenBSD on a DigitalOcean droplet.