>> I have attempted to upgrade from 7.5 to 7.6 on a VPS with encryption. As /usr >> was too small (< 1G left), I chose to re-install and re-partition. I >> downloaded >> bsd.rd, checked it, etc. and rebooted it. >> >> Following the install steps, I was not offered the choice to encrypt, only to >> choose sd0 or sd1. With hindsight, I should probably have chosen sd1, >> re partitioned and called it a day. >> >> What I did is tried to follow the OpenBSD FAQ 14 for softraid + this guide: >> https://www.tumfatig.net/2020/fde-on-openbsd.amsterdam-opinionated-vm >> >> I could not detach sd1 (bioctl -d sd1) with the following error: softraid0: >> refusing to delete boot volume. So, I tried to erase entirely the drive, >> thinking that since bsd.rd was in RAM, it would forget about the previous >> volumes / partitions. It did not work, after using dd if=/dev/urandom >> of=/dev/rsd0c bs=1m, using disklabel to create sd0a showed: disklabel: >> DIOCWDINFO: Device busy when trying to write. >> > > Yes, bsd.rd runs from RAM, but you loaded it by unlocking the encrypted drive > that became sd1. The system boots, sd1 is seen by the OS, so it can't be > casually deleted, as the kernel has already become aware of it. Because of > that, you can't detach the drive (I think? I haven't tried this, but I > recognize the rest of your problem :) ) > > your dd'ing trash over sd0 worked, but the disklabels are stored in RAM, so > the system wouldn't know until you rebooted. (personally, I'd suggest > zeros over random data if you are just trying to free up the disk. OpenBSD > won't have a problem, but I've seen lesser OSs freak out if the disk has > magic bytes in magic places in the early part of the disk) > > For what you trying to do, after zeroing the drive, you needed to reboot > using other media for bsd.rd (netboot, usb, CD, etc). Now you would have > no partition tables on sd0, and thus, no sd1. > > For your goal -- repartitioning an established system, boot bsd.rd, then > just delete and create partitions on sd1. No reason to delete sd1 itself, > your encrypted drive was just fine, it was just the disklabel partitions > within it you wanted to rework. > Thanks for the response, this makes sense and is very informative. I initially wanted to re-create sd1 to specify a higher number of rounds but after testing it is possible to use: bioctl -r 500 -P sd1 (for instance). The only advantage of recreating sd1 would be to have a new master key (I assume) which I didn't need.
The above solves the issue then (as long as bioctl -d sd1 refuses to detach the boot volume after booting bsd.rd) and so that would explain why the installer does not propose re-encryption.
