![]() |
|
Guides All Guides and HOWTO's. |
![]() |
|
Thread Tools | Display Modes |
|
|||
![]()
File encryption with virtual or vnode pseudo disk devices
The OpenBSD base install has two methods to encrypt files or devices
CAVEAT: When you use the first method you are gently advised to use the softraid(4) alternative: Code:
$ doas vnconfig -K 20000 -S Crypted.salt vnd0 Crypted.img WARNING: Consider using softraid crypto. Encryption key: I have tried the softraid crypto approach with an image backed vnode disk. That works too, but is a little bit more complicated to setup. This will be described in another installment. The impatient preferring the softraid method, can use the example of softraid crypto on an USB key/stick in the OpenBSD FAQ: https://www.openbsd.org/faq/faq14.html#softraid See the section Encrypting External Disks vnconfig(8) gives an example how to configure an encrypted file image: Code:
Configure an encrypted image file as vnode disk vnd0 and mount the FFS file system contained in the `a' partition of the disklabel. Same as above, but now configure the vnode using PKCS #5 PBKDF2 and a salt file with 20000 rounds: # vnconfig -K 20000 vnd0 /tmp/cryptimg Encryption key: Salt file: /tmp/cryptsalt # mount /dev/vnd0a /mnt
This guide presents a Makefile that automates these missing steps,and provides simple methods to mount and unmount the encrypted file system. As a bonus it can create a compressed backup of the encrypted image file, the salt file and the Makefile. Overview for using the Makefile
To write and/or read the data:
Description of the Makefile The first part of the Makefile initializes the variables that you can customize. Code:
FILE = Crypted IMG = ${FILE}.img SALT = ${FILE}.salt # size of image file in MB IMG_SIZE = 20 MOUNT_DIR = ./M Code:
# salt size in bytes (don't change this!) SALT_SIZE = 128 # template for automatic disklabel partitioning AUTO_PART = auto_part.txt # files to be packed into compressed TAR file BUPFILES = Makefile ${IMG} ${SALT} ${AUTO_PART} ROUNDS = 20000 VNODE = vnd0 # partition for mounting VNODE_PART = /dev/${VNODE}a # newfs needs raw partition! VNODE_RPART = /dev/r${VNODE}a Code:
init: ${MOUNT_DIR} ${IMG} ${SALT} ${AUTO_PART} ls -ld ${.ALLSRC} This attempts to prevent the permission issue of /mnt which is not writable to non-root users. Code:
${MOUNT_DIR}: @echo Creating mount directory: \"${.TARGET}\" mkdir ./M chmod g=rwx,o= ./${.TARGET} ls -l ${.TARGET} Code:
${IMG}: @echo Creating image file: \"${.TARGET}\" dd if=/dev/zero of=${.TARGET} bs=1m count=${IMG_SIZE} ls -l ${.TARGET} ${SALT}: @echo Creating salt file: \"${.TARGET}\" dd if=/dev/urandom of=${.TARGET} bs=${SALT_SIZE} count=1 Code:
${AUTO_PART}: # line should not be terminated with '\n' (newline) ! printf "/ 1M-*" >${.TARGET} @echo ls -l ${.TARGET} @echo ------------------- @cat ${.TARGET} @echo @echo ------------------- Code:
crypt: @echo Configure \"${IMG}\" ... doas vnconfig -K ${ROUNDS} -S ${SALT} ${VNODE} ${IMG} @echo Installing disklabel on \"${VNODE}\" using partition template \"${AUTO_PART}\" ... doas disklabel -wAT ${AUTO_PART} ${VNODE} @echo Resulting disklabel: doas disklabel ${VNODE} @echo -------------------------- @echo Constructing new file system on \"${VNODE_RPART}\" doas newfs ${VNODE_RPART} @echo Unconfigure \"${VNODE}\" ...... doas sh -c 'vnconfig -u ${VNODE}; vnconfig -l' Code:
mount-crypt: ${MOUNT_DIR} doas vnconfig -K ${ROUNDS} -S ${SALT} ${VNODE} ${IMG} doas vnconfig -l @doas mount ${VNODE_PART} ${MOUNT_DIR} && echo Successfully mounted \ \"${VNODE_PART}\" on \"${MOUNT_DIR}:\" mount | grep ${VNODE} @echo Setting group permissions of \"{MOUNT_DIR}\" to \"rwx\": doas chmod g=rwx ${MOUNT_DIR} ls -ld ${MOUNT_DIR} Code:
umount-crypt: doas sh -c 'umount ${VNODE_PART}; vnconfig -u ${VNODE}; vnconfig -l' @echo \"${VNODE_PART}\" has been unmounted .... Code:
bup: tar cvzf ${FILE}.tgz ${BUPFILES} tar tvzf ${FILE}.tgz
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 19th September 2022 at 04:34 AM. |
|
|||
![]()
Initializing the mounting directory, image and salt file:
Code:
j65[~/crypt]$ make init Creating mount directory: "./M" mkdir ./M chmod g=rwx,o= ././M ls -l ./M total 0 Creating image file: "Crypted.img" dd if=/dev/zero of=Crypted.img bs=1m count=20 20+0 records in 20+0 records out 20971520 bytes transferred in 0.257 secs (81368771 bytes/sec) ls -l Crypted.img -rw-r--r-- 1 j65 j65 20971520 Sep 19 03:45 Crypted.img Creating salt file: "Crypted.salt" dd if=/dev/urandom of=Crypted.salt bs=128 count=1 1+0 records in 1+0 records out 128 bytes transferred in 0.000 secs (1746344 bytes/sec) # line should not be terminated with '\n' (newline) ! printf "/ 1M-*" >auto_part.txt ls -l auto_part.txt ------------------- / 1M-* ------------------- ls -ld ./M Crypted.img Crypted.salt auto_part.txt drwxrwx--- 2 j65 j65 512 Sep 19 03:45 ./M -rw-r--r-- 1 j65 j65 20971520 Sep 19 03:45 Crypted.img -rw-r--r-- 1 j65 j65 128 Sep 19 03:45 Crypted.salt -rw-r--r-- 1 j65 j65 12 Sep 19 03:45 auto_part.txt Code:
j65[~/crypt]$ hexdump -C Crypted.img 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 01400000 j65[~/crypt]$ hexdump -C Crypted.salt 00000000 e4 63 5c f3 2a c7 a6 42 32 5f 2c 55 3f eb 40 ba |.c\.*..B2_,U?.@.| 00000010 f1 3c 11 2a 3b fb 47 bd 67 f8 48 75 e1 3e 9e f4 |.<.*;.G.g.Hu.>..| 00000020 fb 13 0c 07 ae 30 d2 6f 2a b9 03 90 57 c4 d7 43 |.....0.o*...W..C| 00000030 60 6c b0 25 9f 6b 51 8e ee ab 27 c8 3e ac 55 bd |`l.%.kQ...'.>.U.| 00000040 c7 3c 1f 62 20 1e 6b dc c3 9e 9c f1 44 1d aa 65 |.<.b .k.....D..e| 00000050 91 d1 52 f8 0e 5b ef 0f c9 6e ee 28 bb dc 6d b1 |..R..[...n.(..m.| 00000060 f8 ee 9b e8 ed b7 4b 6a 64 75 b0 7f dc c8 75 43 |......Kjdu....uC| 00000070 35 cb af b7 26 f4 1c 44 a1 d6 19 72 9c 2f a3 4f |5...&..D...r./.O| 00000080 Code:
j65[~/crypt]$ make crypt Configure "Crypted.img" ... doas vnconfig -K 20000 -S Crypted.salt vnd0 Crypted.img WARNING: Consider using softraid crypto. Encryption key: Installing disklabel on "vnd0" using partition template "auto_part.txt" ... doas disklabel -wAT auto_part.txt vnd0 Resulting disklabel: doas disklabel vnd0 # /dev/rvnd0c: type: vnd disk: vnd device label: fictitious duid: 0ea264f12b632a20 flags: bytes/sector: 512 sectors/track: 100 tracks/cylinder: 1 sectors/cylinder: 100 cylinders: 409 total sectors: 40960 boundstart: 0 boundend: 40960 drivedata: 0 16 partitions: # size offset fstype [fsize bsize cpg] a: 40960 0 4.2BSD 2048 16384 1 c: 40960 0 unused -------------------------- Constructing new file system on "/dev/rvnd0a" doas newfs /dev/rvnd0a /dev/rvnd0a: 20.0MB in 40960 sectors of 512 bytes 4 cylinder groups of 5.00MB, 320 blocks, 640 inodes each super-block backups (for fsck -b #) at: 160, 10400, 20640, 30880, Unconfigure "vnd0" ...... doas sh -c 'vnconfig -u vnd0; vnconfig -l' vnd0: not in use vnd1: not in use vnd2: not in use vnd3: not in use Code:
j65[~/crypt]$ hexdump -C Crypted.img | head -10 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200 08 dc 61 42 be 9f 20 8c 24 c6 0a e7 3c f8 c1 b8 |..aB.. .$...<...| 00000210 d1 a6 b4 ca 7b 13 72 95 de d7 3f 94 42 85 b3 49 |....{.r...?.B..I| 00000220 cb 8d 13 63 0a 04 d0 0f 94 2d cb 30 fa bc b8 6f |...c.....-.0...o| 00000230 e0 64 4a eb 83 3c 05 9b f8 c9 48 7e 4f 55 bb a2 |.dJ..<....H~OU..| 00000240 ab 86 31 73 aa 87 d3 b6 53 84 ff 89 46 66 81 37 |..1s....S...Ff.7| 00000250 3c d9 d4 17 27 50 e4 85 29 08 e0 ea d8 01 21 35 |<...'P..).....!5| 00000260 74 7a 5d 7a aa 8f c8 a2 97 2b 24 4e 9f 10 2a 23 |tz]z.....+$N..*#| 00000270 f1 f1 df ae 04 5b 5f 5a 4a e1 28 aa ae 38 ba 20 |.....[_ZJ.(..8. | The group permissions of the mount point are adjusted to allow group write access. Code:
j65[~/crypt]$ make mount-crypt doas vnconfig -K 20000 -S Crypted.salt vnd0 Crypted.img WARNING: Consider using softraid crypto. Encryption key: doas vnconfig -l vnd0: covering Crypted.img on sd0k, inode 14675317 vnd1: not in use vnd2: not in use vnd3: not in use Successfully mounted "/dev/vnd0a" on "./M:" mount | grep vnd0 /dev/vnd0a on /home/j65/crypt/M type ffs (local) Setting group permissions of "./M" to "rwx": doas chmod g=rwx ./M ls -ld ./M drwxrwxr-x 2 root wheel 512 Sep 19 03:45 ./M Code:
j65[~/crypt]$ df -h Filesystem Size Used Avail Capacity Mounted on /dev/sd0a 986M 108M 829M 11% / [snip] /dev/sd0e 11.5G 1.8G 9.1G 16% /var /dev/vnd0a 19.2M 2.0K 18.2M 0% /home/j65/crypt/M Code:
j65[~/crypt]$ cd M j65[~/crypt/M]$ ls -l total 0 j65[~/crypt/M]$ echo This is test, for your eyes only ..... >Secret.txt j65[~/crypt/M]$ ls -l total 4 -rw-r--r-- 1 j65 wheel 39 Sep 19 03:56 Secret.txt Code:
j65[~/crypt/M]$ cd .. j65[~/crypt]$ make umount-crypt doas sh -c 'umount /dev/vnd0a; vnconfig -u vnd0; vnconfig -l' vnd0: not in use vnd1: not in use vnd2: not in use vnd3: not in use "/dev/vnd0a" has been unmounted .... Code:
j65[~/crypt]$ make bup tar cvzf Crypted.tgz Makefile Crypted.img Crypted.salt auto_part.txt Makefile Crypted.img Crypted.salt auto_part.txt tar tvzf Crypted.tgz -rw-r--r-- 1 j65 j65 2522 Sep 19 00:42 Makefile -rw-r--r-- 1 j65 j65 20971520 Sep 19 03:57 Crypted.img -rw-r--r-- 1 j65 j65 128 Sep 19 03:45 Crypted.salt -rw-r--r-- 1 j65 j65 12 Sep 19 03:45 auto_part.txt Code:
$ ls -lh -rw-r--r-- 1 j65 j65 20.0M Sep 19 03:57 Crypted.img -rw-r--r-- 1 j65 j65 128B Sep 19 03:45 Crypted.salt -rw-r--r-- 1 j65 j65 299K Sep 19 03:57 Crypted.tgz drwxrwx--- 2 j65 j65 512B Sep 19 03:45 M -rw-r--r-- 2 j65 j65 2.5K Sep 19 00:42 Makefile
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 19th September 2022 at 04:15 AM. |
|
|||
![]()
The Makefile for downloading
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 19th September 2022 at 04:28 AM. |
|
|||
![]()
Thank you, very nice. I was wondering how one would do this on OpenBSD, was planning on looking to see how to do this just out of curiosity, but never bothered.
__________________
[t]csh(1) - "An elegant shell, for a more... civilized age." - Paraphrasing Star Wars (tvtropes.org) |
|
|||
![]()
@jmccue Thanks for the kind words
![]() There is a small error/oversight in the Makefile. Although the mounting directory is defined as a variable, it was still hard-coded in the target to create it. Code:
MOUNT_DIR = ./M Code:
$ diff -u Makefile.txt Makefile2.txt --- Makefile.txt Mon Sep 19 06:26:13 2022 +++ Makefile2.txt Tue Sep 20 02:05:22 2022 @@ -38,7 +38,7 @@ ${MOUNT_DIR}: @echo Creating mount directory: \"${.TARGET}\" - mkdir ./M + mkdir ${.TARGET} chmod g=rwx,o= ./${.TARGET} ls -l ${.TARGET}
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
Verify integrity of disk image file written to disk ? | gustaf | OpenBSD General | 2 | 14th December 2017 06:34 AM |
encryption with two disk? | msvnix | OpenBSD Installation and Upgrading | 10 | 25th September 2017 04:28 PM |
HOWTO: mounting an USB device as normal non-root user in OpenBSD | J65nko | Guides | 6 | 20th May 2017 12:03 PM |
OpenBSD 6.0 Install: Full Disk Encryption on Toshiba Satellite | sdowaxon | OpenBSD Installation and Upgrading | 4 | 16th March 2017 07:23 PM |
Security: Encryption: Disk Encryption | eurovive | Other BSD and UNIX/UNIX-like | 17 | 6th March 2010 04:09 AM |