Discussion:
how to properly rebuild or delete crypto softraid?
(too old to reply)
soko.tica
2017-12-13 18:43:16 UTC
Permalink
I have successfully built an encrypted bootable usb according to the
instructions https://www.openbsd.org/faq/faq14.html#softraidFDE

After booting successfully several times, the device went to ddb after I
installed chrome without previously adding xfonts during the install.
Subsuequent attempts to boot were unsuccessfull.

I have erased partitions by disklabel and fdisk and tried to repeat the
installation process. However, the encrypted raid device appeared and I was
able to unlock it by the same passphrase, so I ceased the installation.

Is it possible to delete the crypto raid properly at this stage? Should I
tri to rebuild it?

Any advice is appreciated.

Thanks in advance.
Stuart Henderson
2017-12-15 09:30:32 UTC
Permalink
Post by soko.tica
I have successfully built an encrypted bootable usb according to the
instructions https://www.openbsd.org/faq/faq14.html#softraidFDE
After booting successfully several times, the device went to ddb after I
installed chrome without previously adding xfonts during the install.
Subsuequent attempts to boot were unsuccessfull.
I have erased partitions by disklabel and fdisk and tried to repeat the
installation process. However, the encrypted raid device appeared and I was
able to unlock it by the same passphrase, so I ceased the installation.
Is it possible to delete the crypto raid properly at this stage? Should I
tri to rebuild it?
Any advice is appreciated.
Thanks in advance.
You can use dd to write zeroes over the start of the device to overwrite
the partition table and disklabel, I'm not surehow far you have to go
but would expect "dd if=/dev/zero of=/dev/rsdXc bs=1m count=8" to do
the trick (with the correct disk number here ^ obviously).

No idea why it would have gone to ddb, your report is very lacking in
information!
soko.tica
2017-12-19 16:21:53 UTC
Permalink
Thank you for your input and sorry about the delay.

I realize now that my question was poorly documented and promise that I
will produce ddb report next time if the crash occurs.

Meanwhile, I have managed to safely remove the encrypted partition with
$doas bioctl -d sdX. That was all what I was trying to achieve at this
point.

I believe FAQ https://www.openbsd.org/faq/faq14.html#softraid would benefit
if such an explicit line about properly removing/destroying
encypted/"ordinary"RAID is added to it.

Many thanks, again
Post by Stuart Henderson
Post by soko.tica
I have successfully built an encrypted bootable usb according to the
instructions https://www.openbsd.org/faq/faq14.html#softraidFDE
After booting successfully several times, the device went to ddb after I
installed chrome without previously adding xfonts during the install.
Subsuequent attempts to boot were unsuccessfull.
I have erased partitions by disklabel and fdisk and tried to repeat the
installation process. However, the encrypted raid device appeared and I
was
Post by soko.tica
able to unlock it by the same passphrase, so I ceased the installation.
Is it possible to delete the crypto raid properly at this stage? Should I
tri to rebuild it?
Any advice is appreciated.
Thanks in advance.
You can use dd to write zeroes over the start of the device to overwrite
the partition table and disklabel, I'm not surehow far you have to go
but would expect "dd if=/dev/zero of=/dev/rsdXc bs=1m count=8" to do
the trick (with the correct disk number here ^ obviously).
No idea why it would have gone to ddb, your report is very lacking in
information!
t***@openmailbox.org
2017-12-16 04:00:37 UTC
Permalink
Post by Stuart Henderson
You can use dd to write zeroes over the start of the device to overwrite
the partition table and disklabel, I'm not surehow far you have to go
but would expect "dd if=/dev/zero of=/dev/rsdXc bs=1m count=8" to do
the trick (with the correct disk number here ^ obviously).
..

Hi,

In the past I thought the principle was that you wipe the disklabel by overwriting the first megabyte (bs=1m count=1).

What is the safe
Stuart Henderson
2017-12-16 15:23:50 UTC
Permalink
Post by t***@openmailbox.org
Post by Stuart Henderson
You can use dd to write zeroes over the start of the device to overwrite
the partition table and disklabel, I'm not surehow far you have to go
but would expect "dd if=/dev/zero of=/dev/rsdXc bs=1m count=8" to do
the trick (with the correct disk number here ^ obviously).
..
Hi,
In the past I thought the principle was that you wipe the disklabel by overwriting the first megabyte (bs=1m count=1).
What is the safe practice really, 1MB or 8MB?
Tinker
I'd rather err on the side of wiping too much when I'm clearing out
the old partition table and disklabel, it doesn't take much longer.
When I'm partitioning SSDs I usually align to 2048 sectors anyway
in an attempt to align to flash erase blocks, so just wiping the
first 1MB wouldn't be enough in that case.
Nick Holland
2017-12-16 17:06:42 UTC
Permalink
Post by Stuart Henderson
Post by t***@openmailbox.org
Post by Stuart Henderson
You can use dd to write zeroes over the start of the device to overwrite
the partition table and disklabel, I'm not surehow far you have to go
but would expect "dd if=/dev/zero of=/dev/rsdXc bs=1m count=8" to do
the trick (with the correct disk number here ^ obviously).
..
Hi,
In the past I thought the principle was that you wipe the disklabel by overwriting the first megabyte (bs=1m count=1).
What is the safe practice really, 1MB or 8MB?
Tinker
I'd rather err on the side of wiping too much when I'm clearing out
the old partition table and disklabel, it doesn't take much longer.
When I'm partitioning SSDs I usually align to 2048 sectors anyway
in an attempt to align to flash erase blocks, so just wiping the
first 1MB wouldn't be enough in that case.
yeah. You are thinking too hard about this...(and possibly, about the
wrong things).
Personally, I leave off the bs=1m count=x and hit enter, and in the
period of time it would take me to type "bs=1m count=x" accurately, I
hit CTRL-C. More than enough will have been cleared. Obviously, that's
not a scriptable answer. :)

More critical is WHAT you zero.

The point is to hit the softraid metadata. It's very possible to zero
the start of a drive and MISS the softraid metadata if the softraid
partition is not at the beginning of the disk.

Let's say you want to encrypt the /home partition, but have the system
free boot so something/someone can log in and unlock the /home
partition. So let's say the /home partition is 10G into the disk. You
zero the start of the drive, but not 10G in. Now, you rebuild the
system and partition it exactly as before. Hello! There's your
softraid metadata coming back from the deleted.

So ... rather than zeroing the drive (rsdXc), I'd recommend zeroing the
RAID PARTITION(s) after laying them out in disklabel, before trying to
use bioctl to assemble them. So ... if sd0m is your softraid partition,
zero out the first MB (plus or minus a lot) of /dev/rsd0m. IF you are
using the entire disk for your softraid partitions, then Stuart's c
partition clear is functionally the same, but if you are using just part
of the disk, really...zero that partition.

Nick.
Loading...