Tested on OpenBSD 6.3

Encrypt disk with bioctl(8) and CRYPTO

bioctl(8) is a RAID management interface with CRYPTO discipline for disk encryption.

Create an encrypted volume

Plug the drive in. Assuming it’s sd3.

DANGER! All data on sd3 will be erased.

# dd if=/dev/urandom of=/dev/rsd3c bs=1m
# fdisk -iy -g -b 960 sd3
# printf 'a a\\n\\n\\nRAID\\nw\\nq\\n'|disklabel -E sd3
# bioctl -c C -l sd3a softraid0
New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sd4
# dd if=/dev/zero of=/dev/rsd4c bs=1m count=1
# fdisk -iy sd4
# printf 'a i\\n\\n\\n\\nw\\nq\\n'|disklabel -E sd4
# newfs sd4a
# mkdir /mnt/sd4a
# mount /dev/sd4a /mnt/sd4a
# ...
# umount /dev/sd4a
# bioctl -d sd4
#

It’s safe to unplug sd3 drive now.

Mount and umount

Plug the drive in.

# bioctl -c C -l sd3a softraid0
Passphrase:
softraid0: CRYPTO volume attached as sd4
# mkdir /mnt/sd4a
# mount /dev/sd4a /mnt/sd4a
...
# umount /dev/sd4a
# bioctl -d sd4
#

Check out my helpers mnt_crypto and umnt_crypto and how to use them:

# bin/mnt_crypto  'XXXXXXXXXXXXXXXX.x' 'YYYYYYYYYYYYYYYY.y'
# bin/umnt_crypto 'XXXXXXXXXXXXXXXX.x'

Where XXXXXXXXXXXXXXXX.x is DUID and partition of a CRYPTO volume and YYYYYYYYYYYYYYYY.y—of a physical device.

You can find DUIDs by running this:

# disklabel /dev/sd3a | grep -E 'duid|RAID'
duid: XXXXXXXXXXXXXXXX
  a:          7716864                 0    RAID
# disklabel /dev/sd4a | grep -E 'duid|BSD'
duid: YYYYYYYYYYYYYYYY
  i:          7716864                64    4.2BSD   4096 32768 26062
#

Check file system consistency

A drive was accidentally disconnected (before you could unmount it properly). That happens. Run fsck(8):

# bioctl -c C -l sd3a softraid0
softraid0: sd4 was not shutdown properly
Passphrase:
softraid0: sd4 was not shutdown properly
softraid0: CRYPTO volume attached as sd4
# fsck /dev/sd4a
** /dev/rsd4a
** Last Mounted on /mnt/sd4a
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
38996 files, 58177423 used, 62950830 free
(10766 frags, 7867508 blocks, 0.0% fragmentation)

MARK FILE SYSTEM CLEAN? [Fyn?] y

***** FILE SYSTEM WAS MODIFIED *****
#

Change the passphrase

# bioctl -P sd4
Old passphrase:
New passphrase:
Re-type passphrase:
#