FreeBSD + Geli

[graudeejs]

Today i decided to try and set GELI for most of my system....
I would like to use it for entire disk, but my PC can't load from USB stick, so i will leave root unencrypted....

you can leave only boot, unencrypted, but i find, that in my situation, leaving root unencrypted is better, because if anything i can boot in single user mode without problem...

So as you know geli ain't supported by sysinstall
recently i broke some things on my box, and i wanted to reinstall bsd, so that's why

Step 0) preparing
backup your data to some safe place

what do you need?
1x PC
1x HDD
FreeBSD CD or already installed freebsd
patience

Step 1) Get FreeBSD on disk
note: if you got BSD on your disk already, then backup your data, and skip this step

I installed bare minimum base and kernel
my disk is detected as ad4
ad4s1a - / - 512M
ad4s1b - swap - about 512M
ad4s2d - /usr - 10G
ad4s2e - /var - 1G
ad4s2f - /tmp - 12G
ad4s2g - /home - about 5G
ad4s3d - /home/files - rest of disk


Step 2) Reboot in single user mode

Backup /usr and /var to other disk/slice (you will need backups later)

Code:

$ kldload geom_eli
$ mount -uo rw /
$ mount -a
$ cd /home/files
$ dump -0Lauf /home/files/usr.dump /usr
$ dump -0Lauf /home/files/var.dump /var
$ dump -0Lauf /home/files/root.dump /
$ cd /
$ umount /usr /var /tmp /home/files /home

now you may want to sanitarize your disk

Code:

$ dd if=/dev/random of=/dev/ad4s2 bs=1m

you can increase bs to speed things up (i use 16m or 8m, as my disk has 16m buffer)

Code:

$ echo > /label
$ bsdlabel -R /dev/ad4s2 /label

this will clear bsdlabels from ad4s2, this means that you no longer will see
/dev/ad4s2d, /dev/ad4s2e, /dev/ad4s2f, /dev/ad4s2g
Q: Why you'd like to do that?
A: Because we are going to encrypt entire slice /dev/ad4s2



Step 3) Initialize GELI
for this one i won't use keyfile, only password

Code:

$ geli init -b -s 4096 /dev/ad4s2
Enter password 2x
$ geli attach /dev/ad4s2
Enter passwod

-b means that password should be asked during boot, so that file systems can be mounted when computer starts
This is important thing, so don't forget to type it

Step 4) Ugly mess with bsdlabel
you won't probably have editor available
that's why i had t use this very UGLY mess

Code:

$ bsdlabel -w /dev/ad4s2.eli
$ bsdlabel -A /dev/ad4s2.eli > label
$ geli detach /dev/ad4s2.eli

and now repeat step 3 one time, and go straight to step 5 (skip step 4)
This is necessary to know what values to enter for bsdlabel
and you need to repeat step 3, because otherwise you will get warning otherwise
yes, it sux

Step 5) Edit bsdlabel

Code:

$ cat /label

you should see something like this:

Code:

# /dev/ad4s2.eli:
2 partitions:
#        size   offset    fstype   [fsize bsize bps/cpg]
  a:  7600751        2    unused        0     0
  c:  7600753        0    unused        0     0         # "raw" part, don't edit

echo line that starts with c:

Code:

$ echo 'c: 7600753 0 unused 0 0' > /label
$ echo 'd: 10G * 4.2BSD' >> /label
$ echo 'e: 1G * 4.2BSD' >> /label
$ echo 'f: 12G * 4.2BSD' >> /label
$ echo 'g: * * 4.2BSD' >> /label
$ bsdlabel -R /dev/ad4s2 /label

This will make partition for /tmp (10G), /var (1G), /tmp (12G), /home (rest)

Step 6) newfs and mount

Code:

$ newfs -U /dev/ad4s2.elid
$ newfs -U /dev/ad4s2.elie
$ newfs -U /dev/ad4s2.elif
$ newfs -U /dev/ad4s2.elig
$ mount /dev/ad4s2.elid /usr
$ mount /dev/ad4s2.elie /var
$ mount /dev/ad4s2.elif /tmp
$ mount /dev/ad4s2.elig /home

Step 7) restore files

Code:

$ mkdir /home/files
$ mount /dev/ad4s3d /home/files
$ cd /usr
$ restore -rf /home/files/usr.dump
$ cd /var
$ restore -rf /home/files/var.dump

Step 8) edit files
you need to edit /etc/fstab
for this, i did

Code:

$ mv /etc/fstab /etc/fstab.bak
$ cat /etc/fstab.bak

and using echo manually wrote new /etc/fstab

fstab

Code:

# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3d		/home/files	ufs	rw			2 2
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
#I've marked changes in red

next thing is to load geli during boot, because i'm using generic kernel

Code:

$ echo 'geom_eli_load="YES"'>> /boot/loader.conf

Step 9) reboot
you should be able to reboot in multiuser mode without problems....

Step 10) encrypt swap
turn off swap

Code:

$ swapoff /dev/ad4s1b

again you may want to sanitarize your swap and /dev/ad4s3

Code:

$ dd if=/dev/random of=/dev/ad4s1b bs=1m

Now let's encrypt and mount swap

Code:

$ geli onetime -d -e 3des /dev/ad4s1b
$ swapon /dev/ad4s1b.eli

you need to edit your /etc/fstab

Code:

# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b.eli		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3d		/home/files	ufs	rw			2 2
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
#I've marked changes in red

Step 11) encrypt /dev/ad4s3
unmount, sanitarize, and clear labels

Code:

$ umount /dev/ad4s3d
$ dd if=/dev/random of=/dev/ad4s3 bs=1m
$ echo > /label
$ bsdlabel -R /dev/ad4s3 /label

make 128bytes key

Code:

$ dd if=/dev/random of=/root/files.key bs=128 count=1

initialize geli (this will use keyfile and password)
I don't want to mount it at boot, so that's why i don't use -b option

Code:

$ geli init -s 4096 -K /root/files.key /dev/ad4s3
enter password 2x
$ geli attach -k /root/files.key /dev/ad4s3
enter password

now, there are 2 choices
a) you can newfs -U /dev/ad4s3.eli and use it as is....
b) you can make labels for /dev/ad4s3.eli (as i understand this is better, but i'm not sure)

Step 11.a)

Code:

$ newfs -U /dev/ad4s3.eli
$ mount /dev/ad4s3.eli /home/files

edit fstab

Code:

# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b.eli		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3.eli		/home/files	ufs	rw,noauto		0 0
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
#I've marked changes in red

Step 11.b)
do the same thing as in step 4
and the reinitialize geli, for /dev/ad4s3 (step 11), you don't need to generate new key
and then do same thing as in step 5, but
this time you only need to add one label (d: )

Code:

$ echo 'c: 7600753 0 unused 0 0' > /label
$ echo 'd: * * 4.2BSD' >> /label
$ bsdlabel -R /dev/ad4s3.eli /label
$ newfs -U /dev/ad4s3.elid

2nd line, will make sure, that you use all space on slice for label d

now edit fstab

Code:

# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b.eli		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3.elid		/home/files	ufs	rw[color="red"],noauto		0 0[/color
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
#I've marked changes in red

Attaching /home/files)
next time you reboot, to attach /home/files as root type:

Code:

$ geli attach -k /root/files.key /dev/ad4s3
enter password
$ mount /home/files

and that seams to be it

NOTE
Don't forget passwords
and don't lose key
keep key in safe place (usb stick perhaps)
make backup for key, just in case
it's possible to leave only /boot unencrypted, but for that you might need another HDD
also it is possible to encrypt entire disk, but then you need usb stick with /boot on it, and pc that can boot from flash

to those who wonder, why swap is encrypted separately?
That's because, i don't need password for swap encryption.
it will use one time encryption... so there is no way to decrypt that
Also if necessary you modify it and use it elsewhere later (for example create d: partion)


Resources
man geli
Handbook 18.16.2
handbook 18.17


I hope this was useful for someone...
if you got questions, ask, i will answer....

and if anyone have better idea, how to avoid, annoying step 4, let me know



UPDATE: 1
When you unmount encrypted drive, it will still be accessible (with dd for example)
you need to detach it

Code:

geli detach /dev/ad0s1f.eli

And here's important stuff:
if you use encrypted usb stick.....
don't forget to detach it after you unmount it.....
failing to do so will/may cause panic
this is for everything....
probably including disk images


UPDATE: 2

Quote:

Originally Posted by Carpetsmoker

You can also use a image instead of a ``real'' filesystem, for example on FreeBSD:

First create a image, 100MB in this case:

$ dd if=/dev/zero of=secret.img bs=1024K count=100

Next use mdconfig to create a /dev entry:

# mdconfig -at vnode -f secret.img

Next you can follow the normal stept for creating an encrypted filesystem (i.e. Killasmurf's FreeBSD + Geli), using md0.

You can use
# mdconfig -du0
to detach the device.

This is much more flexible and faster, and you can set it up any time, no need to newfs stuff ...

Before you use

Code:

# mdconfig -du0

to detach device (file in this case), as suggested by Carpetsmoker
make sure you use geli detach

Code:

geli detach /dev/md0.eli

For reasons read update 1

UPDATE: 3
At step 4, you my tray to skip geli detach and continue to step 5 and 6, if there are no weird errors (i had some), if you get errors fall back to this guide (in short to step 4,3,5,6...)

so if you get errors do, 1,2,3,4,3,5,6,7,8,9,10,11
if you don't get errors do 1,2,3,4,5,6,7,8,9,10,11

If you feel confused, ignore this update, and pm me (or make post)..... i'll se if i can improve things)



Another good source:
http://bge-tard.blogspot.com/2007/09...on-system.html

[dk_netsvil]

killasmurf86, this is a great post with plenty of useful data. When I first started using Geli I found navigating the documentation to be slightly daunting, but you have provided a concise how-to that may make Geli on FreeBSD more accessible to people who would otherwise go with a Linux solution to disk encryption.

[graudeejs]

Thanks
I used geli for some time, to encrypt my sensitive data, but this is 1st time i went further and encrypted everything except root....

Maybe one day (when i need to reinstall BSD again), i will sit down, and figure how to boot from usb stick, when PC doesn't support booting from usb (i have some ideas in mind)

[Carpetsmoker]

You can also encrypt FS images, which is a much better solution in many cases IMO.

See http://daemonforums.org/showpost.php...2&postcount=23

[Oliver_H]

Nice howto - thx. Are there any know caveats while upgrading .. maybe weekly stables?

[graudeejs]

Quote:

Originally Posted by cabal

Are there any know caveats while upgrading .. maybe weekly stables?

What do you mean?

[graudeejs]

Quote:

Originally Posted by Carpetsmoker

You can also encrypt FS images, which is a much better solution in many cases IMO.

See http://daemonforums.org/showpost.php...2&postcount=23

i updated my post, and quoted your's, thanks....

[graudeejs]

hmm, i found this on net
http://bge-tard.blogspot.com/2007/09...on-system.html
The article is the same, but it will cover how to create boot cd, and make fully encrypted FreeBSD Disk

This is very good alternative to my post, and also might be little faster

[Oliver_H]

Quote:

Originally Posted by killasmurf86

What do you mean?

Could be possible to lose the encrypted partition after an upgrade. I had some experience with Linux kernel some time ago.

[graudeejs]

I don't think so.....
as long as you have geom_geli loaded, passwords and keys to access it

updating should improve things, not break them