Encrypted Filesystems
m (Reverted edits by 93.74.109.164 (Talk); changed back to last version by Jimbo) |
|||
| Line 20: | Line 20: | ||
masta# '''mkdir /private''' | masta# '''mkdir /private''' | ||
| − | masta# '''mkdir /etc | + | masta# '''mkdir /etc/gbde''' |
| + | |||
| + | Create an empty image file of 1000Mb. | ||
| + | |||
| + | masta# '''touch /usr/local/cryptfs.img''' | ||
| + | masta# '''dd if=/dev/zero of=/usr/local/cryptfs.img bs=1024k count=1000''' | ||
| + | |||
| + | Create a virtual device that points the empty file. | ||
| + | |||
| + | masta# '''mdconfig -a -t vnode -u 9 -f /usr/local/cryptfs.img''' | ||
| + | |||
| + | Invoke the gbde program on the new virtual device. This will ask for a passphrase twice, and open an editor. | ||
| + | |||
| + | masta# '''gbde init /dev/md9 -i -L /etc/gbde/md9''' | ||
| + | |||
| + | In the Editor, alter the "sector_size" line, and exit. | ||
| + | |||
| + | '''g/sector_size = 512/s//sector_size = 2048/g''' | ||
| + | |||
| + | NOTE: You should have a /dev/md9.bde device-node. | ||
| + | |||
| + | Invoke the gbde program to attach the image file to the kernel. | ||
| + | |||
| + | masta# '''gbde attach /dev/md9 -l /etc/gbde/md9''' | ||
| + | |||
| + | NOTE: You will be prompted for the passphrase. | ||
| + | |||
| + | Format the attached image with UFS2: | ||
| + | |||
| + | masta# '''newfs -U -O2 /dev/md9.bde''' | ||
| + | |||
| + | Now mount the md9.bde filesystem to the mount-point we created earlier. | ||
| + | |||
| + | masta# '''mount /dev/md9.bde /private''' | ||
| + | |||
| + | Check to make sure everthing worked. | ||
| + | |||
| + | masta# '''df -h''' | ||
| + | |||
| + | NOTE: this article was reproduced and minorly reformatted from http://www.ezunix.org/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=67&page=1 and has not been tested for accuracy. | ||
| + | |||
| + | You can automount encrypted partitions with 2 rc.conf variables: | ||
| + | |||
| + | gbde_autoattach_all="YES" | ||
| + | gbde_devices="encrypteddrivedeveicename" | ||
| + | |||
| + | |||
| + | [[Category:Common Tasks]] | ||
| + | [[Category: Securing FreeBSD]] | ||
Revision as of 09:30, 24 October 2009
Introduction
You might be asking yourself what is an encrypted filesystem good for? There are many answers, and a few might be storage of: RSA private keys, password lists, tripwire checksums, Mafia book keeping, plans for world domination, or whatever you can think of! When the men in black suits come to get your private info, they will have a very difficult job. You will be using the following commands in this exercises: dd, df, gbde, mdconfig, and mount.
First thing is to man the above commands, and take a look at the "Encrypted Filesystem" example in the FreeBSD Handbook. This is an extension of the example found in the handbook.
Configuration
Load GEOM_BDE support into the kernel. (Note: if you wish, you may also add GEOM_BDE support to the kernel statically and recompile it - use options GEOM_BDE.)
masta# kldload geom_bde
If you chose to use dynamic GEOM kernel support instead of recompiling it into the kernel, you may also want to make sure it's autoloaded at boot time from here on out:
masta# echo geom_bde_load="YES" >> /boot/loader.conf
Create a few directories. One for lock files, and the other for a mount point.
masta# mkdir /private masta# mkdir /etc/gbde
Create an empty image file of 1000Mb.
masta# touch /usr/local/cryptfs.img masta# dd if=/dev/zero of=/usr/local/cryptfs.img bs=1024k count=1000
Create a virtual device that points the empty file.
masta# mdconfig -a -t vnode -u 9 -f /usr/local/cryptfs.img
Invoke the gbde program on the new virtual device. This will ask for a passphrase twice, and open an editor.
masta# gbde init /dev/md9 -i -L /etc/gbde/md9
In the Editor, alter the "sector_size" line, and exit.
g/sector_size = 512/s//sector_size = 2048/g
NOTE: You should have a /dev/md9.bde device-node.
Invoke the gbde program to attach the image file to the kernel.
masta# gbde attach /dev/md9 -l /etc/gbde/md9
NOTE: You will be prompted for the passphrase.
Format the attached image with UFS2:
masta# newfs -U -O2 /dev/md9.bde
Now mount the md9.bde filesystem to the mount-point we created earlier.
masta# mount /dev/md9.bde /private
Check to make sure everthing worked.
masta# df -h
NOTE: this article was reproduced and minorly reformatted from http://www.ezunix.org/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=67&page=1 and has not been tested for accuracy.
You can automount encrypted partitions with 2 rc.conf variables:
gbde_autoattach_all="YES" gbde_devices="encrypteddrivedeveicename"
