Intro

After some effort, I got my Raspberry Pi 4 running OpenBSD 6.9 with full-disk encryption on a USB3 memory stick. I could find no one else online talking about this subject anywhere, except this mailing list thread. So, I thought I’d share my experience on how I got it working. I recommend you read the entire post before proceeding, so you have an idea of the process upfront.

Since OpenBSD 7.0 has been released, I haven’t yet updated these instructions to make sure they apply 100%, but I believe this process should succeed without modification.

Setup

Enable booting from USB

First we want to make sure your Pi 4 can boot from USB storage. Newer Pi 4 boards already have a recent enough EEPROM version supporting USB boot, but earlier-shipped boards will need to update. If your Pi can already boot from a USB stick you can skip this step! Otherwise, follow these steps:

  • Boot up the Pi with latest Raspbian microSD
  • Open up a terminal
  • sudo apt update
  • sudo apt full-upgrade
  • sudo rpi-eeprom-update
  • If it says an update is available run these commands:
    • sudo rpi-eeprom-update -a
    • sudo reboot

You can find more details about rpi-eeprom-update in the Raspberry Pi documentation.

Set boot order

Then, set the Pi to boot from USB:

  • Run sudo raspi-config
  • Go to “Advanced Settings” then “Boot Order”
  • Set to boot from USB
  • Exit raspi-config.

Installation

Download arm64 install69.img and write to any USB stick. This will only be used for installation process so don’t worry about using a new/fast device.

Boot from this USB stick in USB2 port. You can use a USB3 port if you think there will be room to fit your desination USB3 device, but mine was too large to fit both install USB stick and destination USB stick in the USB3 slots.

At the boot> prompt, enter set tty fb0, then boot. Setting tty to fb0 is important so you can actually see the console!

Once the OpenBSD installer is started, insert your destination USB stick/drive in USB3 port.

Go to Shell and complete FDE setup. I followed the process as described in the OpenBSD docs, “booting from MBR”, so I ran fdisk -iy sd1 … Because my USB3 destination media is the second drive, it’s sd1 (as opposed to the sd0 indicated in the documentation), so obviously I do everything on sd1 instead of sd0 … I did everything as the docs said, including writing /dev/urandom to /dev/rsd1c, and I used passphrase instead of keydisk, just to keep it simple. Once you’re done, run exit to leave the shell and return to the OpenBSD installer.

Complete the OS installation. I just used default partition table. I installed to /dev/sd2 (because that’s the new “decrypted” drive that appears).

Once OpenBSD installation is complete, shut down, and unplug all the USB drives.

Booting the newly-installed system

Now here’s the “interesting” part. Because the OS drive is encrypted, the Pi can’t boot directly from it! You will only get a black screen, and the “rainbow screen” never shows. The Pi needs a non-encrypted drive to read the OpenBSD bootloader (BOOTAA64) from, as the kernel unfortunately cannot be booted from the Pi4’s EEPROM-hosted bootloader (as explained by OpenBSD developer Bryan Steele).

I asked around a bit and some helpful people on the OpenBSD matrix channel shared enough knowledge & insight to elucidate a solution. Here’s one way to do it which works for me:

  • Write arm64 miniroot69.img to a microSD card. This microSD will stay in the Pi forever (as long as you want to use this OpenBSD install), so choose a small cheap one ;) You can use a USB stick, but I feel it would be a waste of one and it takes up one of your USB ports unnecessarily.
  • Before doing anything with the microSD card, we need to update the Boot Order. Boot the Pi with Raspbian USB stick.
  • Run sudo raspi-config, “Advanced Options”, “Boot Order”, set MicroSD as boot priority
  • Insert miniroot microSD card in microSD slot, and encrypted USB stick (or SSD) into USB3 port.
  • Power it up!
  • At boot> prompt, enter set tty fb0 and then, set device sr0a (sr0a is your encrypted drive!) I’m not sure if this is different if you’re using keydisk, however. (Please let me know if extra/different steps are needed for keydisk!)
  • Type boot and press enter (or I think you can just press enter without writing anything)
  • The bootloader should ask you for the softraid passphrase now. Once you enter it successfully , it will boot from bsd kernel.

OK… at this point, now you will be waiting a long time. Booting the kernel from crypto softraid takes literally 18 minutes for me, it’s absolutely nuts. Maybe it will be faster on SSD.. but I think the Pi CPU struggles with AES encryption without some kernel driver? Maybe it’s possible to load a driver from the microSD before trying to load the OS kernel from the encrypted drive. Definitely something to investigate further…

Boot config

There’s one more step to make the experience better, though. No one wants to type set tty fb0 and set device sr0a every time, right? It took me a while to figure this out, but I realized: mount the microSD and add /etc/boot.conf to it! It doesn’t work when boot.conf is on the encrypted drive. It has to be on the actual initial boot device, the microSD. So, to do this:

Boot into your encrypted system with the above process (microSD + USB3 + manual boot-prompt commands)

Log in, open a shell, and enter the following commands:

$ su root
# mkdir /mnt/microsd
# mount /dev/sd0a /mnt/microsd
# mkdir /mnt/microsd/etc/
# vi /mnt/microsd/etc/boot.conf

Add these two lines into that file:

set tty fb0
set device sr0a

You can try rebooting and make sure it works, but .. no real need to waste 18 minutes on that right now unless you want to be sure.

Conclusion

OK, I think that’s everything and you should now have a working OpenBSD install on your Pi 4 with full-disk encryption. If you are still struggling with this process, feel free to ping me – I may be able to help a bit. Though, knowing the 18min boot time, maybe it’s not worth it for FDE on Pi 4. Still, a fun project and very cool to have this working.