Installing OpenBSD with Full Disk Encryption on DigitalOcean

DigitalOcean doesn’t provide OpenBSD images, but they do provide images for FreeBSD. Here’s how to transform a FreeBSD droplet into an OpenBSD droplet with full disk encryption:

  1. Boot a FreeBSD droplet.

  2. Write the OpenBSD install file system onto disk:

    # fetch http://ftp.hostserver.de/pub/OpenBSD/5.8/amd64/miniroot58.fs
    # swapoff /dev/gpt/swapfs
    # sysctl kern.geom.debugflags=0x10
    # dd if=miniroot58.fs of=/dev/vtbd0 bs=512k
    

    (via tubsta.com)

  3. Reboot the droplet, access the console, and press S to get into a shell.

  4. Initialize a fresh MBR:

    # fdisk -iy sd0
    
  5. Open the disk label editor:

    # disklabel -E sd0
    Disk type: SCSI
    
  6. Set the boundary to cover the whole disk:

    > b
    Starting Sector: 0
    Size: *
    
  7. Remove all labels:

    > z
    
  8. Create label for swap:

    > a b
    offset: 0
    size: 1G
    type: swap
    
  9. Create label for the encrypted softraid:

    > a a
    offset: 
    size: *
    type: RAID
    
  10. Write the labels and quit the editor:

    > w
    > q
    
  11. Create softraid with crypto mode:

    # bioctl -c C -l /dev/sd0a softraid0
    
  12. Exit the shell and perform a regular OpenBSD installation on disk sd1. Don’t create a disk label for swap (we already have one).

  13. Configure swap by first getting the DUID of sd0 and appending the line for swap to /etc/fstab:

    # disklabel sd0 | grep duid:
    duid: 6ea7d99b047d71ee
    # echo 6ea7d99b047d71ee.b none swap sw 0 0 >> /mnt/etc/fstab
    
  14. Reboot into your new OpenBSD installation:

    # reboot
    

You’re now running OpenBSD on a DigitalOcean droplet.