Re: Upgrade to 5.9 full disk encryption

[Predrag Punosevac]

Ted Roby wrote:

> Do any of you find that when dealing with sd1 and greater in bsd.rd
> you must explicitly create these devices?

That step was not needed with the upgrade procedure I described in that
"drunken mathematician" e-mail. I have a working laptop to show for.

Best,
Predrag

Re: Upgrade to 5.9 full disk encryption

[Stuart Henderson]

On 2016-04-18, Erling Westenvik  wrote:
> On Mon, Apr 18, 2016 at 12:36:34PM -0700, Ted Roby wrote:
>> Do any of you find that when dealing with sd1 and greater in bsd.rd you
>> must explicitly create these devices?
>
> Yes. This behaviour is mentioned in FAQ 14 (14.10.1 - Installing to a
> mirror) which states:
>
> "The install kernel only has the /dev entries for one wd(4) device and
> one sd(4) device on boot, so you will need to manually create more disk
> devices if your desired softraid setup requires them. This process is
> normally done automatically by the installer, but you haven't yet run
> the installer, and you will be adding a disk that didn't exist at boot."
>
> Have a look at:
>
> http://www.openbsd.org/faq/faq14.html#softraidDI

Yes, but the faq doesn't talk about the need for this for upgrades (only
install), nor in the section about FDE. And it's not obvious that you have
to 'create' the device again for upgrades, nor that this is not destructive.

Re: Upgrade to 5.9 full disk encryption

[Erling Westenvik]

On Mon, Apr 18, 2016 at 12:36:34PM -0700, Ted Roby wrote:
> Do any of you find that when dealing with sd1 and greater in bsd.rd you
> must explicitly create these devices?

Yes. This behaviour is mentioned in FAQ 14 (14.10.1 - Installing to a
mirror) which states:

"The install kernel only has the /dev entries for one wd(4) device and
one sd(4) device on boot, so you will need to manually create more disk
devices if your desired softraid setup requires them. This process is
normally done automatically by the installer, but you haven't yet run
the installer, and you will be adding a disk that didn't exist at boot."

Have a look at:

http://www.openbsd.org/faq/faq14.html#softraidDI

Regards,

Erling

> I've been following this habit for years, and did not see anyone offer the
> advice in this thread.
> 
> Basically:
> 
> cd /dev
> sh MAKEDEV sd1
> 
> 
> 
> On Sun, Apr 17, 2016 at 2:04 PM, Sean Howard  wrote:
> 
> >  J o ‎l
> >
> > Sent from my Phone.
> >   Original Message
> > From: Predrag Punosevap
> > ‎
> > Sent: Sunday, April 17, 2016 09:11
> > To: erling.westen...@gmail.com
> > Cc: misc@openbsd.org
> > Subject: Re: Upgrade to 5.m. J9 full disk encryption
> >
> > Erling Westenvik  wrote:
> > Tn. I‎
> > > On Sat, Apr 16, 2016 at 11:02:36PM -0400, Predrag Punosevac wrote:
> > > > Bryan Everly wrote:
> > > > >
> > > > > Boot the installer. Exit to the shell. Then do:
> > > > >
> > > > > bioctl -c C -l /dev/sd0a softraid0
> > > > >
> > > >
> > > > Unless I did something really stupid I would swear that I upgraded
> > fully
> > > > encrypted laptop running 5.8 to 5.9 easier.
> > > >
> > > > I downloaded bsd.rd for 5.9 and put into /. Then I rebooted the laptop.
> > > > When prompted for boot password and entered it. Then I booted from
> > > > bsd.rd and chose the upgrade option. When upgrade manager asked me what
> > > > is the installation disk I pointed it to the crypto disk. In my case
> > > > physical device is
> > > >
> > > > /dev/sd0
> > > >
> > > > and crypto device is /dev/sd1
> > > >
> > > > No softraid passwords were needed.
> > >
> > > Actually it was but you referred to it as "boot password" above,
> > > something which may sound confusing to new users. The correct term would
> > > be "passphrase". There is no such thing as a "boot password" unless one
> > > refers to the machine's BIOS password.
> > >
> > > After downloading a ramdisk (bsd.rd) kernel and after rebooting, I prefer
> > > to exit to the boot(8) prompt when it asks for the passphrase:
> > >
> > > Using drive 0, partition 3.
> > > Loading.
> > > probing: pc0 apm pci mem[639K 254M a20=on]
> > > disk: hd0+ sr0*
> > > >> OpenBSD/i386 BOOT 3.21
> > > Passphrase: 
> > > ^^
> > > Then I enter:
> > >
> > > boot> boot sr0a:/bsd.rd
> > > ^
> > > And the passphrase:
> > >
> > > Passphrase: 
> > > 
> > > I easily get distracted and this way I make sure that the system doesn't
> > > start with the old system (bsd) kernel in case I miss the five second
> > > delay offered by boot(8). Having to wait for a system to finish booting
> > > just so you can log in and reboot again, can be an annoying waste of
> > > time.. :-)
> > >
> > > Regards,
> > >
> > > Erling
> >
> > Hi Erling,
> >
> > Thanks for posting. I was very tired when I sent the original message
> > and reading it over this morning I sounded like a drunken mathematician.
> > Of course one has to enter the passphrase. The only step I avoided
> > comparing to the original post was dropping into the shell before
> > starting the upgrade process. For the people who might be reading these
> > posts I was explicitly to state that I don't use a password to protect
> > my BIOS.
> >
> > Predrag
> >
> >
> > >
> > > > After upgrade was finished I booted
> > > > into 5.9 and did usual sysmerge, cleaning files and upgrading packages.
> > > >
> > > > Best,
> > > > Predrag
> >
> > [demime 1.01d removed an attachment of type image/png]
> >
> > [demime 1.01d removed an attachment of type application/octet-stream]
> >
> > [demime 1.01d removed an attachment of type application/octet-stream]

Re: Upgrade to 5.9 full disk encryption

[Ted Roby]

Do any of you find that when dealing with sd1 and greater in bsd.rd you
must explicitly create these devices?

I've been following this habit for years, and did not see anyone offer the
advice in this thread.

Basically:

cd /dev
sh MAKEDEV sd1



On Sun, Apr 17, 2016 at 2:04 PM, Sean Howard  wrote:

>  J o ‎l
>
> Sent from my Phone.
>   Original Message
> From: Predrag Punosevap
> ‎
> Sent: Sunday, April 17, 2016 09:11
> To: erling.westen...@gmail.com
> Cc: misc@openbsd.org
> Subject: Re: Upgrade to 5.m. J9 full disk encryption
>
> Erling Westenvik  wrote:
> Tn. I‎
> > On Sat, Apr 16, 2016 at 11:02:36PM -0400, Predrag Punosevac wrote:
> > > Bryan Everly wrote:
> > > >
> > > > Boot the installer. Exit to the shell. Then do:
> > > >
> > > > bioctl -c C -l /dev/sd0a softraid0
> > > >
> > >
> > > Unless I did something really stupid I would swear that I upgraded
> fully
> > > encrypted laptop running 5.8 to 5.9 easier.
> > >
> > > I downloaded bsd.rd for 5.9 and put into /. Then I rebooted the laptop.
> > > When prompted for boot password and entered it. Then I booted from
> > > bsd.rd and chose the upgrade option. When upgrade manager asked me what
> > > is the installation disk I pointed it to the crypto disk. In my case
> > > physical device is
> > >
> > > /dev/sd0
> > >
> > > and crypto device is /dev/sd1
> > >
> > > No softraid passwords were needed.
> >
> > Actually it was but you referred to it as "boot password" above,
> > something which may sound confusing to new users. The correct term would
> > be "passphrase". There is no such thing as a "boot password" unless one
> > refers to the machine's BIOS password.
> >
> > After downloading a ramdisk (bsd.rd) kernel and after rebooting, I prefer
> > to exit to the boot(8) prompt when it asks for the passphrase:
> >
> > Using drive 0, partition 3.
> > Loading.
> > probing: pc0 apm pci mem[639K 254M a20=on]
> > disk: hd0+ sr0*
> > >> OpenBSD/i386 BOOT 3.21
> > Passphrase: 
> > ^^
> > Then I enter:
> >
> > boot> boot sr0a:/bsd.rd
> > ^
> > And the passphrase:
> >
> > Passphrase: 
> > 
> > I easily get distracted and this way I make sure that the system doesn't
> > start with the old system (bsd) kernel in case I miss the five second
> > delay offered by boot(8). Having to wait for a system to finish booting
> > just so you can log in and reboot again, can be an annoying waste of
> > time.. :-)
> >
> > Regards,
> >
> > Erling
>
> Hi Erling,
>
> Thanks for posting. I was very tired when I sent the original message
> and reading it over this morning I sounded like a drunken mathematician.
> Of course one has to enter the passphrase. The only step I avoided
> comparing to the original post was dropping into the shell before
> starting the upgrade process. For the people who might be reading these
> posts I was explicitly to state that I don't use a password to protect
> my BIOS.
>
> Predrag
>
>
> >
> > > After upgrade was finished I booted
> > > into 5.9 and did usual sysmerge, cleaning files and upgrading packages.
> > >
> > > Best,
> > > Predrag
>
> [demime 1.01d removed an attachment of type image/png]
>
> [demime 1.01d removed an attachment of type application/octet-stream]
>
> [demime 1.01d removed an attachment of type application/octet-stream]

Re: Upgrade to 5.9 full disk encryption

[Sean Howard]

 J o ‎l

Sent from my Phone.
  Original Message  
From: Predrag Punosevap
‎
Sent: Sunday, April 17, 2016 09:11
To: erling.westen...@gmail.com
Cc: misc@openbsd.org
Subject: Re: Upgrade to 5.m. J9 full disk encryption

Erling Westenvik  wrote:
Tn. I‎
> On Sat, Apr 16, 2016 at 11:02:36PM -0400, Predrag Punosevac wrote:
> > Bryan Everly wrote:
> > >
> > > Boot the installer. Exit to the shell. Then do:
> > >
> > > bioctl -c C -l /dev/sd0a softraid0
> > >
> >
> > Unless I did something really stupid I would swear that I upgraded fully
> > encrypted laptop running 5.8 to 5.9 easier.
> >
> > I downloaded bsd.rd for 5.9 and put into /. Then I rebooted the laptop.
> > When prompted for boot password and entered it. Then I booted from
> > bsd.rd and chose the upgrade option. When upgrade manager asked me what
> > is the installation disk I pointed it to the crypto disk. In my case
> > physical device is
> >
> > /dev/sd0
> >
> > and crypto device is /dev/sd1
> >
> > No softraid passwords were needed.
>
> Actually it was but you referred to it as "boot password" above,
> something which may sound confusing to new users. The correct term would
> be "passphrase". There is no such thing as a "boot password" unless one
> refers to the machine's BIOS password.
>
> After downloading a ramdisk (bsd.rd) kernel and after rebooting, I prefer
> to exit to the boot(8) prompt when it asks for the passphrase:
>
> Using drive 0, partition 3.
> Loading.
> probing: pc0 apm pci mem[639K 254M a20=on]
> disk: hd0+ sr0*
> >> OpenBSD/i386 BOOT 3.21
> Passphrase: 
> ^^
> Then I enter:
>
> boot> boot sr0a:/bsd.rd
> ^
> And the passphrase:
>
> Passphrase: 
> 
> I easily get distracted and this way I make sure that the system doesn't
> start with the old system (bsd) kernel in case I miss the five second
> delay offered by boot(8). Having to wait for a system to finish booting
> just so you can log in and reboot again, can be an annoying waste of
> time.. :-)
>
> Regards,
>
> Erling

Hi Erling,

Thanks for posting. I was very tired when I sent the original message
and reading it over this morning I sounded like a drunken mathematician.
Of course one has to enter the passphrase. The only step I avoided
comparing to the original post was dropping into the shell before
starting the upgrade process. For the people who might be reading these
posts I was explicitly to state that I don't use a password to protect
my BIOS.

Predrag


>
> > After upgrade was finished I booted
> > into 5.9 and did usual sysmerge, cleaning files and upgrading packages.
> >
> > Best,
> > Predrag

[demime 1.01d removed an attachment of type image/png]

[demime 1.01d removed an attachment of type application/octet-stream]

[demime 1.01d removed an attachment of type application/octet-stream]

Re: Upgrade to 5.9 full disk encryption

[Predrag Punosevac]

Erling Westenvik  wrote:

> On Sat, Apr 16, 2016 at 11:02:36PM -0400, Predrag Punosevac wrote:
> > Bryan Everly wrote:
> > > 
> > > Boot the installer. Exit to the shell. Then do:
> > > 
> > > bioctl -c C -l /dev/sd0a softraid0
> > >
> > 
> > Unless I did something really stupid I would swear that I upgraded fully
> > encrypted laptop running 5.8 to 5.9 easier. 
> > 
> > I downloaded bsd.rd for 5.9 and put into /. Then I rebooted the laptop.
> > When prompted for boot password and entered it. Then I booted from
> > bsd.rd and chose the upgrade option. When upgrade manager asked me what
> > is the installation disk I pointed it to the crypto disk. In my case
> > physical device is
> > 
> > /dev/sd0
> > 
> > and crypto device is /dev/sd1
> > 
> > No softraid passwords were needed.
> 
> Actually it was but you referred to it as "boot password" above,
> something which may sound confusing to new users. The correct term would
> be "passphrase". There is no such thing as a "boot password" unless one
> refers to the machine's BIOS password.
> 
> After downloading a ramdisk (bsd.rd) kernel and after rebooting, I prefer
> to exit to the boot(8) prompt when it asks for the passphrase:
> 
> Using drive 0, partition 3.
> Loading.
> probing: pc0 apm pci mem[639K 254M a20=on]
> disk: hd0+ sr0*
> >> OpenBSD/i386 BOOT 3.21
> Passphrase: 
> ^^
> Then I enter:
> 
> boot> boot sr0a:/bsd.rd
>   ^
> And the passphrase:
> 
> Passphrase: 
> 
> I easily get distracted and this way I make sure that the system doesn't
> start with the old system (bsd) kernel in case I miss the five second
> delay offered by boot(8). Having to wait for a system to finish booting
> just so you can log in and reboot again, can be an annoying waste of
> time.. :-)
> 
> Regards,
> 
> Erling

Hi Erling,

Thanks for posting. I was very tired when I sent the original message
and reading it over this morning I sounded like a drunken mathematician.
Of course one has to enter the passphrase. The only step I avoided
comparing to the original post was dropping into the shell before
starting the upgrade process. For the people who might be reading these
posts I was explicitly to state that I don't use a password to protect
my BIOS.

Predrag


> 
> >After upgrade was finished I booted
> > into 5.9 and did usual sysmerge, cleaning files and upgrading packages.
> > 
> > Best,
> > Predrag

Re: Upgrade to 5.9 full disk encryption

[Erling Westenvik]

On Sat, Apr 16, 2016 at 11:02:36PM -0400, Predrag Punosevac wrote:
> Bryan Everly wrote:
> > 
> > Boot the installer. Exit to the shell. Then do:
> > 
> > bioctl -c C -l /dev/sd0a softraid0
> >
> 
> Unless I did something really stupid I would swear that I upgraded fully
> encrypted laptop running 5.8 to 5.9 easier. 
> 
> I downloaded bsd.rd for 5.9 and put into /. Then I rebooted the laptop.
> When prompted for boot password and entered it. Then I booted from
> bsd.rd and chose the upgrade option. When upgrade manager asked me what
> is the installation disk I pointed it to the crypto disk. In my case
> physical device is
> 
> /dev/sd0
> 
> and crypto device is /dev/sd1
> 
> No softraid passwords were needed.

Actually it was but you referred to it as "boot password" above,
something which may sound confusing to new users. The correct term would
be "passphrase". There is no such thing as a "boot password" unless one
refers to the machine's BIOS password.

After downloading a ramdisk (bsd.rd) kernel and after rebooting, I prefer
to exit to the boot(8) prompt when it asks for the passphrase:

Using drive 0, partition 3.
Loading.
probing: pc0 apm pci mem[639K 254M a20=on]
disk: hd0+ sr0*
>> OpenBSD/i386 BOOT 3.21
Passphrase: 
^^
Then I enter:

boot> boot sr0a:/bsd.rd
  ^
And the passphrase:

Passphrase: 

I easily get distracted and this way I make sure that the system doesn't
start with the old system (bsd) kernel in case I miss the five second
delay offered by boot(8). Having to wait for a system to finish booting
just so you can log in and reboot again, can be an annoying waste of
time.. :-)

Regards,

Erling

>After upgrade was finished I booted
> into 5.9 and did usual sysmerge, cleaning files and upgrading packages.
> 
> Best,
> Predrag

Re: Upgrade to 5.9 full disk encryption

[Predrag Punosevac]

Bryan Everly wrote:
> 
> Boot the installer. Exit to the shell. Then do:
> 
> bioctl -c C -l /dev/sd0a softraid0
>

Unless I did something really stupid I would swear that I upgraded fully
encrypted laptop running 5.8 to 5.9 easier. 

I downloaded bsd.rd for 5.9 and put into /. Then I rebooted the laptop.
When prompted for boot password and entered it. Then I booted from
bsd.rd and chose the upgrade option. When upgrade manager asked me what
is the installation disk I pointed it to the crypto disk. In my case
physical device is

/dev/sd0

and crypto device is /dev/sd1

No softraid passwords were needed. After upgrade was finished I booted
into 5.9 and did usual sysmerge, cleaning files and upgrading packages.

Best,
Predrag

Re: Upgrade to 5.9 full disk encryption

[Jack J. Woehr]

Niels wrote:

As Bryan stated, bioctl will prompt for the (existing) passphrase and then
bring up the (existing) crypto volume.

I took the manual to mean that, but asked to confirm.

Bryan's answer was correct, we're all upgraded to 5.9, thanks all.

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: Upgrade to 5.9 full disk encryption

[Niels]

As Bryan stated, bioctl will prompt for the (existing) passphrase and then
bring up the (existing) crypto volume.

Once mounted, it will be a standard upgrade installation.
To clarify, bioctl should in this case NOT overwrite the existing encrypted
data.

As a beginner, I found bioctl’s -c and -d options (and its terminology of
“create”
and “delete”) a bit confusing and, yes, “a little scary” in this
regard.

FAQ 14.10.3 might be helpful to understand, as it puts it rather explicitly:

> note that the initial creation of the container and attaching the container
are done with the same bioctl(8) command

> The man page for this looks a little scary, as the -d command is described
as "deleting" the volume. In the case of crypto, however, it just deactivates
encrypted volume so it can't be accessed until it is activated again with the
passphrase.

http://www.openbsd.org/faq/faq14.html#softraidCrypto


> On 16 Apr 2016, at 00:36, Tim Hoddy  wrote:
>
> On 15 April 2016 23:04:45 BST, Bryan Everly 
wrote:
>> Boot the installer. Exit to the shell. Then do:
>>
>> bioctl -c C -l /dev/sd0a softraid0
>>
>> (Substitute for your actual device that is the softraid container).
>> You will be promoted for your password.
>>
>> Watch for the console message telling you what it mounted as. Then
>> type exit to return to the installer and upgrade that disk.
>>
>> Thanks,
>> Bryan
>>
>>> On Apr 15, 2016, at 5:56 PM, Jack J. Woehr  wrote:
>>>
>>> How does one upgrade a full-disk encrypted OpenBSD boot disk?
>
>
> The original question is not clear.
>
> Your instruction will involve an overwrite of a previous install and is,
therefore, not a "upgrade".

Re: Upgrade to 5.9 full disk encryption

[Bryan Everly]

Happy to help!  :)

Thanks,
Bryan

> On Apr 15, 2016, at 6:35 PM, Jack J. Woehr  wrote:
>
> Bryan Everly wrote:
>> Boot the installer. Exit to the shell. Then do:
>>
>> bioctl -c C -l /dev/sd0a softraid0
>>
>> (Substitute for your actual device that is the softraid container).
>> You will be promoted for your password.
>>
>> Watch for the console message telling you what it mounted as. Then
>> type exit to return to the installer and upgrade that disk.
>
> Works for me. Thanks, Bryan.
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the universe
> www.softwoehr.com # with a fine understanding of human fallibility. - Carl 
> Sagan

Re: Upgrade to 5.9 full disk encryption

[Tim Hoddy]

On 15 April 2016 23:04:45 BST, Bryan Everly  wrote:
>Boot the installer. Exit to the shell. Then do:
>
>bioctl -c C -l /dev/sd0a softraid0
>
>(Substitute for your actual device that is the softraid container).
>You will be promoted for your password.
>
>Watch for the console message telling you what it mounted as. Then
>type exit to return to the installer and upgrade that disk.
>
>Thanks,
>Bryan
>
>> On Apr 15, 2016, at 5:56 PM, Jack J. Woehr  wrote:
>>
>> How does one upgrade a full-disk encrypted OpenBSD boot disk?


The original question is not clear.

Your instruction will involve an overwrite of a previous install and is, 
therefore, not a "upgrade".

Re: Upgrade to 5.9 full disk encryption

[Jack J. Woehr]

Bryan Everly wrote:

Boot the installer. Exit to the shell. Then do:

bioctl -c C -l /dev/sd0a softraid0

(Substitute for your actual device that is the softraid container).
You will be promoted for your password.

Watch for the console message telling you what it mounted as. Then
type exit to return to the installer and upgrade that disk.




Works for me. Thanks, Bryan.

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

Re: Upgrade to 5.9 full disk encryption

[Bryan Everly]

Boot the installer. Exit to the shell. Then do:

bioctl -c C -l /dev/sd0a softraid0

(Substitute for your actual device that is the softraid container).
You will be promoted for your password.

Watch for the console message telling you what it mounted as. Then
type exit to return to the installer and upgrade that disk.

Thanks,
Bryan

> On Apr 15, 2016, at 5:56 PM, Jack J. Woehr  wrote:
>
> How does one upgrade a full-disk encrypted OpenBSD boot disk?
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the universe
> www.softwoehr.com # with a fine understanding of human fallibility. - Carl 
> Sagan

Upgrade to 5.9 full disk encryption

[Jack J. Woehr]

How does one upgrade a full-disk encrypted OpenBSD boot disk?

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan