Title: Encrypt a USB flash drive on OpenBSD. Author: paco Date: 2019-08-24 Type: article This are some notes to encrypt a USB flash drive on OpenBSD, is taken from the [OpenBSD FAQ][1] just with a bit more explanation so I can remember what's all about. Of course, you should not trust anything I say here and check [bioctl(8)][2] man page and the already mentioned FAQ. On this example we assume the USB drive is `sd3`. All commands have to be executed by `root` (hence the `#`) or using `doas(1)`. The first time, to create the encrypted drive, it is recommended to write random data to the disk. # dd if=/dev/urandom of=/dev/rsd3c bs=1m Then partition the disk (`-i` reinitializes the partition table and `-y` answers yes to all prompts). # fdisk -iy sd3 After that create a partition of type `RAID` with `disklabel(8)`. This command is interactive, check the man page for that. Is quite easy. # disklabel -E sd3 Now you can create the encrypted volume. The parameter `-c` specifies the `RAID` level for our volume, `C` is a `CRYPTO` volume. `-l sd3` specifies the _chunk device_ to use. And `softraid0` is the `softraid(4)` device. # bioctl -c C -l sd3a softraid0 That will ask for password twice and it will respond with the new created device: softraid0: CRYPTO volume attached as sd4 We can "clear" the new device filling it with zeros, initialize the device and create a partition (`i` in this case, usually reserved to partitions outside the disklabel, like MS-DOS partitions). # dd if=/dev/zero of=/dev/rsd4c bs=1m count=1 # fdisk -iy sd4 # disklabel -E sd4 Create now the file system on the new partition and mount it: # newfs sd4i # mount /dev/sd4i /mnt/secretstuff To remove the device, unmount it and then detach the crypto device: # umount /mnt/secretstuff # bioctl -d sd4 In order to mount the device again, you have to attach it again with the same command you used to create the crypto device, and then mount it: # bioctl -c C -l sd3a softraid0 # mount /dev/sd4i /mnt/secretstuff Remember to unmount and detach before removing it. [1]: https://www.openbsd.org/faq/faq14.html#softraid [2]: https://man.openbsd.org/bioctl.8