pavement

Encrypted Filesystems

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
m (Introduction)
 
(16 intermediate revisions by 5 users not shown)
Line 3: Line 3:
 
There are many answers, and a few might be storage of: RSA private keys, password lists, tripwire checksums, Mafia book keeping, plans for world domination, or whatever you can think of!
 
There are many answers, and a few might be storage of: RSA private keys, password lists, tripwire checksums, Mafia book keeping, plans for world domination, or whatever you can think of!
 
When the men in black suits come to get your private info, they will have a very difficult job.
 
When the men in black suits come to get your private info, they will have a very difficult job.
You will be using the following commands in this exercises:
+
You will be using the following commands in this exercises: [[dd]], [[df]], [[gbde]], [[mdconfig]], and [[mount]].
  
[[dd]]
+
First thing is to man the above commands, and take a look at the "Encrypted Filesystem" example in the FreeBSD Handbook.  This is an extension of the example found in the handbook.
  
[[df]]
+
There are two programs used to encrypt file systems, which are gdbe and geli.
  
[[gbde]]
+
==Swap encryption through /etc/fstab==
 +
Swap encryption is useful to keep passwords and other confidential information out of view.
 +
To encrypt swap partitions the {{man|geli|8}} program is useful. Open the file {{file|/etc/fstab}} and add {{code|.eli}} at the end of the swap device, under the column #Device. For example:
 +
#Device Mountpoint Fstype Options Dump Pass#
 +
/dev/ada0p1.eli none swap sw 0 0
 +
The above and a reboot are sufficient to encrypt swap.
  
[[mdconfig]]
+
The gbde program can also be used to encrypt swap space. It uses the {{code|.bde}} suffix in the {{file|/etc/fstab}} file. Please read it's manpage for details, and read below.
  
[[mount]]
+
==Configuration==
  
First thing is to man the above commands, and take a look at the "Encrypted Filesystem" example in the FreeBSD Handbook.
+
Load GEOM_BDE support into the kernel.  (Note: if you wish, you may also add GEOM_BDE support to the kernel statically and recompile it - use ''options GEOM_BDE''.)
This is an extension of the example found in the handbook.
+
  
==Configuration==
+
# '''kldload geom_bde'''
  
Add GEOM_BDE support to the kernel if it isn't already there, and recompile.
+
If you chose to use dynamic GEOM kernel support instead of recompiling it into the kernel, you may also want to make sure it's autoloaded at boot time from here on out:
  
  options GEOM_BDE
+
  # '''echo geom_bde_load="YES" >> /boot/loader.conf'''
  
 
Create a few directories. One for lock files, and the other for a mount point.
 
Create a few directories. One for lock files, and the other for a mount point.
  
  masta# '''mkdir /private'''
+
  # '''mkdir /private'''
  masta# '''mkdir /etc/gbde'''
+
  # '''mkdir /etc/gbde'''
  
 
Create an empty image file of 1000Mb.
 
Create an empty image file of 1000Mb.
Line 36: Line 40:
 
Create a virtual device that points the empty file.
 
Create a virtual device that points the empty file.
  
  masta# '''mdconfig -a -t vnode -u 9 -f /usr/local/cryptfs.img'''
+
  # '''mdconfig -a -t vnode -u 9 -f /usr/local/cryptfs.img'''
  
 
Invoke the gbde program on the new virtual device.  This will ask for a passphrase twice, and open an editor.
 
Invoke the gbde program on the new virtual device.  This will ask for a passphrase twice, and open an editor.
  
  masta# '''gbde init /dev/md9 -i -L /etc/gbde/md9'''
+
  # '''gbde init /dev/md9 -i -L /etc/gbde/md9'''
  
 
In the Editor, alter the "sector_size" line, and exit.
 
In the Editor, alter the "sector_size" line, and exit.
Line 50: Line 54:
 
Invoke the gbde program to attach the image file to the kernel.
 
Invoke the gbde program to attach the image file to the kernel.
  
  masta# '''gbde attach /dev/md9 -l /etc/gbde/md9'''
+
  # '''gbde attach /dev/md9 -l /etc/gbde/md9'''
  
 
NOTE: You will be prompted for the passphrase.
 
NOTE: You will be prompted for the passphrase.
Line 56: Line 60:
 
Format the attached image with UFS2:
 
Format the attached image with UFS2:
  
  masta# '''newfs -U -O2 /dev/md9.bde'''
+
  # '''newfs -U -O2 /dev/md9.bde'''
  
 
Now mount the md9.bde filesystem to the mount-point we created earlier.
 
Now mount the md9.bde filesystem to the mount-point we created earlier.
  
  masta# '''mount /dev/md9.bde /private'''
+
  # '''mount /dev/md9.bde /private'''
  
 
Check to make sure everthing worked.
 
Check to make sure everthing worked.
  
  masta# '''df -h'''
+
  # '''df -h'''
 +
 
 +
You can automount encrypted partitions with 2 rc.conf variables:
  
NOTE: this article was reproduced and minorly reformatted from http://www.ezunix.org/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=67&page=1 and has not been tested for accuracy.
+
gbde_autoattach_all="YES"
 +
gbde_devices="encrypteddrivedeveicename"
  
 +
==References==
 +
* this article was reproduced and minorly reformatted from http://www.ezunix.org/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=67&page=1 and has not been tested for accuracy.
 +
* Information on updates to encrypt swap is based on Network Administration with FreeBSD7.
 +
 
[[Category:Common Tasks]]
 
[[Category:Common Tasks]]
 
[[Category: Securing FreeBSD]]
 
[[Category: Securing FreeBSD]]

Latest revision as of 04:40, 1 November 2015

Contents

[edit] Introduction

You might be asking yourself what is an encrypted filesystem good for? There are many answers, and a few might be storage of: RSA private keys, password lists, tripwire checksums, Mafia book keeping, plans for world domination, or whatever you can think of! When the men in black suits come to get your private info, they will have a very difficult job. You will be using the following commands in this exercises: dd, df, gbde, mdconfig, and mount.

First thing is to man the above commands, and take a look at the "Encrypted Filesystem" example in the FreeBSD Handbook. This is an extension of the example found in the handbook.

There are two programs used to encrypt file systems, which are gdbe and geli.

[edit] Swap encryption through /etc/fstab

Swap encryption is useful to keep passwords and other confidential information out of view. To encrypt swap partitions the geli(8) program is useful. Open the file /etc/fstab and add .eli at the end of the swap device, under the column #Device. For example:

#Device			Mountpoint		Fstype		Options		Dump		Pass#
/dev/ada0p1.eli		none			swap		sw		0		0

The above and a reboot are sufficient to encrypt swap.

The gbde program can also be used to encrypt swap space. It uses the .bde suffix in the /etc/fstab file. Please read it's manpage for details, and read below.

[edit] Configuration

Load GEOM_BDE support into the kernel. (Note: if you wish, you may also add GEOM_BDE support to the kernel statically and recompile it - use options GEOM_BDE.)

# kldload geom_bde

If you chose to use dynamic GEOM kernel support instead of recompiling it into the kernel, you may also want to make sure it's autoloaded at boot time from here on out:

# echo geom_bde_load="YES" >> /boot/loader.conf

Create a few directories. One for lock files, and the other for a mount point.

# mkdir /private
# mkdir /etc/gbde

Create an empty image file of 1000Mb.

masta# touch /usr/local/cryptfs.img
masta# dd if=/dev/zero of=/usr/local/cryptfs.img bs=1024k count=1000

Create a virtual device that points the empty file.

# mdconfig -a -t vnode -u 9 -f /usr/local/cryptfs.img

Invoke the gbde program on the new virtual device. This will ask for a passphrase twice, and open an editor.

# gbde init /dev/md9 -i -L /etc/gbde/md9

In the Editor, alter the "sector_size" line, and exit.

g/sector_size = 512/s//sector_size = 2048/g

NOTE: You should have a /dev/md9.bde device-node.

Invoke the gbde program to attach the image file to the kernel.

# gbde attach /dev/md9 -l /etc/gbde/md9

NOTE: You will be prompted for the passphrase.

Format the attached image with UFS2:

# newfs -U -O2 /dev/md9.bde

Now mount the md9.bde filesystem to the mount-point we created earlier.

# mount /dev/md9.bde /private

Check to make sure everthing worked.

# df -h

You can automount encrypted partitions with 2 rc.conf variables:

gbde_autoattach_all="YES"
gbde_devices="encrypteddrivedeveicename"

[edit] References

Personal tools