DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th September 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default HOWTO: File encryption on OpenBSD with a vnode pseudo disk device

File encryption with virtual or vnode pseudo disk devices

The OpenBSD base install has two methods to encrypt files or devices
  1. Encrypted image file that can be accessed like a disk with vnconfig(8)
    vnconfig(1) associates a file with a /dev/vnd device to be accessed like a disk.
  2. Encrypted file system with softraid(4)
    This is the recommended method, but requires more steps to prepare.

CAVEAT: When you use the first method you are gently advised to use the softraid(4) alternative:
Code:
$ doas vnconfig -K 20000 -S Crypted.salt vnd0 Crypted.img
WARNING: Consider using softraid crypto.
Encryption key:
So please keep in mind that what is described here is not a recommended method anymore.
I have tried the softraid crypto approach with an image backed vnode disk. That works too, but is a little bit more complicated to setup. This will be described in another installment.

The impatient preferring the softraid method, can use the example of softraid crypto on an USB key/stick in the OpenBSD FAQ:
https://www.openbsd.org/faq/faq14.html#softraid See the section Encrypting External Disks

vnconfig(8) gives an example how to configure an encrypted file image:

Code:
Configure an encrypted image file as vnode disk vnd0 and mount the FFS
file system contained in the `a' partition of the disklabel.  Same as
above, but now configure the vnode using PKCS #5 PBKDF2 and a salt file
with 20000 rounds:

     # vnconfig -K 20000 vnd0 /tmp/cryptimg
     Encryption key:
     Salt file: /tmp/cryptsalt
     # mount /dev/vnd0a /mnt
Missing from this example are the steps to:
  1. Create /tmp/cryptimg
  2. Install disklabel a on /tmp/cryptimg
  3. Construct a new file system for label 'a'
  4. Create the salt file
    This is not completely true. if /tmp/cryptsalt does not exist, it will be created.

This guide presents a Makefile that automates these missing steps,and provides simple methods to mount and unmount the encrypted file system.
As a bonus it can create a compressed backup of the encrypted image file, the salt file and the Makefile.

Overview for using the Makefile
  1. Initialize and create an image file, salt file and directory to mount
    Code:
    $ make init
  2. Encrypt the image file, install a label and construct a new file system
    Code:
    $ make crypt

To write and/or read the data:
  1. Mount the encrypted disk image
    Code:
    $ make mount-crypt
  2. Now you can create file(s)on the encrypted disk, or copy files to it.
  3. When done unmount the disk
    Code:
    $ make umount-crypt
  4. Optionally, create a compressed backup in 'tgz' format
    Code:
    $ make bup
WARNING !!! After storing data on the encrypted disk, do not repeat the "$ make crypt". It will erase all your encrypted info!

Description of the Makefile


The first part of the Makefile initializes the variables that you can customize.
Code:
FILE =		Crypted
IMG =		${FILE}.img
SALT =		${FILE}.salt

# size of image file in MB
IMG_SIZE =	20
MOUNT_DIR =	./M
The following section specifies variables you do not need to touch:

Code:
# salt size in bytes (don't change this!)
SALT_SIZE =     128

# template for automatic disklabel partitioning
AUTO_PART =     auto_part.txt

# files to be packed into compressed TAR file 
BUPFILES =      Makefile ${IMG} ${SALT} ${AUTO_PART}

ROUNDS =        20000
VNODE =         vnd0
# partition for mounting
VNODE_PART =    /dev/${VNODE}a
# newfs needs raw partition!
VNODE_RPART =   /dev/r${VNODE}a
The first target init creates the image file, auto partioning template for disklabel, salt file and the directory to mount the image:
Code:
init:	${MOUNT_DIR} ${IMG} ${SALT} ${AUTO_PART}
	ls -ld ${.ALLSRC}
Creation of the mount dir as sub-directory of the current directory.
This attempts to prevent the permission issue of /mnt which is not writable to non-root users.

Code:
${MOUNT_DIR}:
	@echo Creating mount directory: \"${.TARGET}\"
	mkdir ./M
	chmod g=rwx,o= ./${.TARGET}
	ls -l ${.TARGET}
The image file and salt file generation:
Code:
${IMG}:
	@echo Creating image file: \"${.TARGET}\"
	dd if=/dev/zero of=${.TARGET} bs=1m count=${IMG_SIZE}
	ls -l ${.TARGET}

${SALT}:
	@echo Creating salt file: \"${.TARGET}\"
	dd if=/dev/urandom of=${.TARGET} bs=${SALT_SIZE} count=1
Creation of template for a non-interactive install of a disklabel:
Code:
${AUTO_PART}:
	# line should not be terminated with '\n' (newline) !
	printf "/       1M-*" >${.TARGET}
	@echo ls -l ${.TARGET}
	@echo -------------------
	@cat ${.TARGET}
	@echo
	@echo -------------------
The image file is associated with a vnode device, encrypted, disklabel'ed and newfs'ed with:
Code:
crypt:
	@echo Configure \"${IMG}\" ...
	doas vnconfig -K ${ROUNDS} -S ${SALT} ${VNODE} ${IMG}
	@echo Installing disklabel on \"${VNODE}\" using partition template \"${AUTO_PART}\" ... 
	doas disklabel -wAT ${AUTO_PART}  ${VNODE}
	@echo Resulting disklabel:
	doas disklabel ${VNODE} 
	@echo --------------------------
	@echo Constructing new file system on \"${VNODE_RPART}\"
	doas newfs ${VNODE_RPART}
	@echo Unconfigure \"${VNODE}\" ......
	doas sh -c 'vnconfig -u ${VNODE}; vnconfig -l'
After these steps, the image file is ready for use. To mount it:

Code:
mount-crypt: ${MOUNT_DIR}
	doas vnconfig -K ${ROUNDS} -S ${SALT} ${VNODE} ${IMG}
	doas vnconfig -l
	@doas mount ${VNODE_PART} ${MOUNT_DIR} && echo Successfully mounted \
	\"${VNODE_PART}\" on \"${MOUNT_DIR}:\" 
	mount | grep ${VNODE}
	@echo Setting group permissions of \"{MOUNT_DIR}\" to \"rwx\": 
	doas chmod g=rwx ${MOUNT_DIR}
	ls -ld ${MOUNT_DIR}
After writing or reading, the encrypted disk image can be unmounted with:

Code:
umount-crypt:
	doas sh -c 'umount ${VNODE_PART}; vnconfig -u ${VNODE}; vnconfig -l'
	@echo \"${VNODE_PART}\" has been unmounted ....
After unmounting a compressed tar archive can be made.

Code:
bup:
	tar cvzf ${FILE}.tgz ${BUPFILES} 
	tar tvzf ${FILE}.tgz
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 19th September 2022 at 04:34 AM.
Reply With Quote
  #2   (View Single Post)  
Old 19th September 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Example of usage

Initializing the mounting directory, image and salt file:
Code:
j65[~/crypt]$  make init
Creating mount directory: "./M"
mkdir ./M
chmod g=rwx,o= ././M
ls -l ./M
total 0

Creating image file: "Crypted.img"
dd if=/dev/zero of=Crypted.img bs=1m count=20
20+0 records in
20+0 records out
20971520 bytes transferred in 0.257 secs (81368771 bytes/sec)
ls -l Crypted.img
-rw-r--r--  1 j65  j65	20971520 Sep 19 03:45 Crypted.img

Creating salt file: "Crypted.salt"
dd if=/dev/urandom of=Crypted.salt bs=128 count=1
1+0 records in
1+0 records out
128 bytes transferred in 0.000 secs (1746344 bytes/sec)

# line should not be terminated with '\n' (newline) !
printf "/	1M-*" >auto_part.txt
ls -l auto_part.txt
-------------------
/	1M-*
-------------------

ls -ld ./M Crypted.img Crypted.salt auto_part.txt
drwxrwx---  2 j65  j65	     512 Sep 19 03:45 ./M
-rw-r--r--  1 j65  j65	20971520 Sep 19 03:45 Crypted.img
-rw-r--r--  1 j65  j65	     128 Sep 19 03:45 Crypted.salt
-rw-r--r--  1 j65  j65	      12 Sep 19 03:45 auto_part.txt
A hexdump of Crypted.img and Crypted.salt :

Code:
j65[~/crypt]$ hexdump -C Crypted.img
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
01400000

j65[~/crypt]$ hexdump -C Crypted.salt                                              
00000000  e4 63 5c f3 2a c7 a6 42  32 5f 2c 55 3f eb 40 ba  |.c\.*..B2_,U?.@.|
00000010  f1 3c 11 2a 3b fb 47 bd  67 f8 48 75 e1 3e 9e f4  |.<.*;.G.g.Hu.>..|
00000020  fb 13 0c 07 ae 30 d2 6f  2a b9 03 90 57 c4 d7 43  |.....0.o*...W..C|
00000030  60 6c b0 25 9f 6b 51 8e  ee ab 27 c8 3e ac 55 bd  |`l.%.kQ...'.>.U.|
00000040  c7 3c 1f 62 20 1e 6b dc  c3 9e 9c f1 44 1d aa 65  |.<.b .k.....D..e|
00000050  91 d1 52 f8 0e 5b ef 0f  c9 6e ee 28 bb dc 6d b1  |..R..[...n.(..m.|
00000060  f8 ee 9b e8 ed b7 4b 6a  64 75 b0 7f dc c8 75 43  |......Kjdu....uC|
00000070  35 cb af b7 26 f4 1c 44  a1 d6 19 72 9c 2f a3 4f  |5...&..D...r./.O|
00000080
Encrypt, label and newfs. After warning to use softraid crypto, you are asked to provide a password. This password will be used in the encryption.
Code:
j65[~/crypt]$ make crypt
Configure "Crypted.img" ...
doas vnconfig -K 20000 -S Crypted.salt vnd0 Crypted.img
WARNING: Consider using softraid crypto.
Encryption key:

Installing disklabel on "vnd0" using partition template "auto_part.txt" ...
doas disklabel -wAT auto_part.txt  vnd0
Resulting disklabel:
doas disklabel vnd0
# /dev/rvnd0c:
type: vnd
disk: vnd device
label: fictitious
duid: 0ea264f12b632a20
flags:
bytes/sector: 512
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 409
total sectors: 40960
boundstart: 0
boundend: 40960
drivedata: 0

16 partitions:
#		 size		offset	fstype [fsize bsize   cpg]
  a:		40960		     0	4.2BSD	 2048 16384	1
  c:		40960		     0	unused
--------------------------

Constructing new file system on "/dev/rvnd0a"
doas newfs /dev/rvnd0a
/dev/rvnd0a: 20.0MB in 40960 sectors of 512 bytes
4 cylinder groups of 5.00MB, 320 blocks, 640 inodes each
super-block backups (for fsck -b #) at:
 160, 10400, 20640, 30880,

Unconfigure "vnd0" ......
doas sh -c 'vnconfig -u vnd0; vnconfig -l'
vnd0: not in use
vnd1: not in use
vnd2: not in use
vnd3: not in use
A partial hexdump of the encrypted image file shows no more zeroes after the first 0x200:
Code:
j65[~/crypt]$ hexdump -C Crypted.img | head -10
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000200  08 dc 61 42 be 9f 20 8c  24 c6 0a e7 3c f8 c1 b8  |..aB.. .$...<...|
00000210  d1 a6 b4 ca 7b 13 72 95  de d7 3f 94 42 85 b3 49  |....{.r...?.B..I|
00000220  cb 8d 13 63 0a 04 d0 0f  94 2d cb 30 fa bc b8 6f  |...c.....-.0...o|
00000230  e0 64 4a eb 83 3c 05 9b  f8 c9 48 7e 4f 55 bb a2  |.dJ..<....H~OU..|
00000240  ab 86 31 73 aa 87 d3 b6  53 84 ff 89 46 66 81 37  |..1s....S...Ff.7|
00000250  3c d9 d4 17 27 50 e4 85  29 08 e0 ea d8 01 21 35  |<...'P..).....!5|
00000260  74 7a 5d 7a aa 8f c8 a2  97 2b 24 4e 9f 10 2a 23  |tz]z.....+$N..*#|
00000270  f1 f1 df ae 04 5b 5f 5a  4a e1 28 aa ae 38 ba 20  |.....[_ZJ.(..8. |
Mounting the disk. After the warning to consider softraid crypto, vnconfig prompts for the encryption key/password.
The group permissions of the mount point are adjusted to allow group write access.
Code:
j65[~/crypt]$ make mount-crypt
doas vnconfig -K 20000 -S Crypted.salt vnd0 Crypted.img
WARNING: Consider using softraid crypto.
Encryption key:

doas vnconfig -l
vnd0: covering Crypted.img on sd0k, inode 14675317
vnd1: not in use
vnd2: not in use
vnd3: not in use

Successfully mounted "/dev/vnd0a" on "./M:"
mount | grep vnd0
/dev/vnd0a on /home/j65/crypt/M type ffs (local)

Setting group permissions of "./M" to "rwx":
doas chmod g=rwx ./M
ls -ld ./M
drwxrwxr-x  2 root  wheel  512 Sep 19 03:45 ./M
Code:
j65[~/crypt]$ df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      986M    108M    829M    11%    /
[snip]
/dev/sd0e     11.5G    1.8G    9.1G    16%    /var
/dev/vnd0a    19.2M    2.0K   18.2M	0%    /home/j65/crypt/M
Changing the directory to the mount point and creating a file,
Code:
j65[~/crypt]$ cd M
j65[~/crypt/M]$ ls -l
total 0
j65[~/crypt/M]$ echo This is test, for your eyes only ..... >Secret.txt
j65[~/crypt/M]$ ls -l
total 4
-rw-r--r--  1 j65  wheel  39 Sep 19 03:56 Secret.txt
Go back to our previous directory and unmount
Code:
j65[~/crypt/M]$ cd ..
j65[~/crypt]$ make umount-crypt
doas sh -c 'umount /dev/vnd0a; vnconfig -u vnd0; vnconfig -l'
vnd0: not in use
vnd1: not in use
vnd2: not in use
vnd3: not in use
"/dev/vnd0a" has been unmounted ....
Creating a backup 'tgz' file:
Code:
j65[~/crypt]$ make bup
tar cvzf Crypted.tgz Makefile Crypted.img Crypted.salt auto_part.txt
Makefile
Crypted.img
Crypted.salt
auto_part.txt
tar tvzf Crypted.tgz
-rw-r--r--  1 j65  j65	     2522 Sep 19 00:42 Makefile
-rw-r--r--  1 j65  j65	 20971520 Sep 19 03:57 Crypted.img
-rw-r--r--  1 j65  j65	      128 Sep 19 03:45 Crypted.salt
-rw-r--r--  1 j65  j65	       12 Sep 19 03:45 auto_part.txt
A directory listing showing the compressed size of Crypted.tgz
Code:
$ ls -lh
-rw-r--r--  1 j65  j65  20.0M Sep 19 03:57 Crypted.img
-rw-r--r--  1 j65  j65   128B Sep 19 03:45 Crypted.salt
-rw-r--r--  1 j65  j65   299K Sep 19 03:57 Crypted.tgz
drwxrwx---  2 j65  j65   512B Sep 19 03:45 M
-rw-r--r--  2 j65  j65   2.5K Sep 19 00:42 Makefile
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 19th September 2022 at 04:15 AM.
Reply With Quote
  #3   (View Single Post)  
Old 19th September 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

The Makefile for downloading
Attached Files
File Type: txt Makefile.txt (3.5 KB, 8 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 19th September 2022 at 04:28 AM.
Reply With Quote
  #4   (View Single Post)  
Old 19th September 2022
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 167
Default

Thank you, very nice. I was wondering how one would do this on OpenBSD, was planning on looking to see how to do this just out of curiosity, but never bothered.
__________________
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars (tvtropes.org)
Reply With Quote
  #5   (View Single Post)  
Old 20th September 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

@jmccue Thanks for the kind words

There is a small error/oversight in the Makefile. Although the mounting directory is defined as a variable, it was still hard-coded in the target to create it.

Code:
MOUNT_DIR =     ./M
The diff to correct this oversight:
Code:
$ diff -u Makefile.txt Makefile2.txt 
--- Makefile.txt        Mon Sep 19 06:26:13 2022
+++ Makefile2.txt       Tue Sep 20 02:05:22 2022
@@ -38,7 +38,7 @@
  
 ${MOUNT_DIR}:
        @echo Creating mount directory: \"${.TARGET}\"
-       mkdir ./M
+       mkdir ${.TARGET}
        chmod g=rwx,o= ./${.TARGET}
        ls -l ${.TARGET}
I attached the revised Makefile as Makefile2.txt for downloading.
Attached Files
File Type: txt Makefile2.txt (3.5 KB, 7 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Verify integrity of disk image file written to disk ? gustaf OpenBSD General 2 14th December 2017 06:34 AM
encryption with two disk? msvnix OpenBSD Installation and Upgrading 10 25th September 2017 04:28 PM
HOWTO: mounting an USB device as normal non-root user in OpenBSD J65nko Guides 6 20th May 2017 12:03 PM
OpenBSD 6.0 Install: Full Disk Encryption on Toshiba Satellite sdowaxon OpenBSD Installation and Upgrading 4 16th March 2017 07:23 PM
Security: Encryption: Disk Encryption eurovive Other BSD and UNIX/UNIX-like 17 6th March 2010 04:09 AM


All times are GMT. The time now is 01:01 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick