DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th October 2008
graudeejs's Avatar
graudeejs graudeejs is offline
Real Name: Aldis Berjoza
ISO Quartermaster
 
Join Date: Jul 2008
Location: Riga, Latvia
Posts: 589
Exclamation FreeBSD + Geli disk encryption

Today i decided to try and set GELI for most of my system....
I would like to use it for entire disk, but my PC can't load from USB stick, so i will leave root unencrypted....

you can leave only boot, unencrypted, but i find, that in my situation, leaving root unencrypted is better, because if anything i can boot in single user mode without problem...

So as you know geli ain't supported by sysinstall
recently i broke some things on my box, and i wanted to reinstall bsd, so that's why

Step 0) preparing
backup your data to some safe place

what do you need?
1x PC
1x HDD
FreeBSD CD or already installed freebsd
patience

Step 1) Get FreeBSD on disk
note: if you got BSD on your disk already, then backup your data, and skip this step

I installed bare minimum base and kernel
my disk is detected as ad4
ad4s1a - / - 512M
ad4s1b - swap - about 512M
ad4s2d - /usr - 10G
ad4s2e - /var - 1G
ad4s2f - /tmp - 12G
ad4s2g - /home - about 5G
ad4s3d - /home/files - rest of disk


Step 2) Reboot in single user mode

Backup /usr and /var to other disk/slice (you will need backups later)
Code:
$ kldload geom_eli
$ mount -uo rw /
$ mount -a
$ cd /home/files
$ dump -0Lauf /home/files/usr.dump /usr
$ dump -0Lauf /home/files/var.dump /var
$ dump -0Lauf /home/files/root.dump /
$ cd /
$ umount /usr /var /tmp /home/files /home
now you may want to sanitarize your disk
Code:
$ dd if=/dev/random of=/dev/ad4s2 bs=1m
you can increase bs to speed things up (i use 16m or 8m, as my disk has 16m buffer)

Code:
$ echo > /label
$ bsdlabel -R /dev/ad4s2 /label
this will clear bsdlabels from ad4s2, this means that you no longer will see
/dev/ad4s2d, /dev/ad4s2e, /dev/ad4s2f, /dev/ad4s2g
Q: Why you'd like to do that?
A: Because we are going to encrypt entire slice /dev/ad4s2



Step 3) Initialize GELI
for this one i won't use keyfile, only password
Code:
$ geli init -b -s 4096 /dev/ad4s2
Enter password 2x
$ geli attach /dev/ad4s2
Enter passwod
-b means that password should be asked during boot, so that file systems can be mounted when computer starts
This is important thing, so don't forget to type it

Step 4) Ugly mess with bsdlabel
you won't probably have editor available
that's why i had t use this very UGLY mess
Code:
$ bsdlabel -w /dev/ad4s2.eli
$ bsdlabel -A /dev/ad4s2.eli > label
$ geli detach /dev/ad4s2.eli
and now repeat step 3 one time, and go straight to step 5 (skip step 4)
This is necessary to know what values to enter for bsdlabel
and you need to repeat step 3, because otherwise you will get warning otherwise
yes, it sux

Step 5) Edit bsdlabel
Code:
$ cat /label
you should see something like this:
Code:
# /dev/ad4s2.eli:
2 partitions:
#        size   offset    fstype   [fsize bsize bps/cpg]
  a:  7600751        2    unused        0     0
  c:  7600753        0    unused        0     0         # "raw" part, don't edit
echo line that starts with c:


Code:
$ echo 'c: 7600753 0 unused 0 0' > /label
$ echo 'd: 10G * 4.2BSD' >> /label
$ echo 'e: 1G * 4.2BSD' >> /label
$ echo 'f: 12G * 4.2BSD' >> /label
$ echo 'g: * * 4.2BSD' >> /label
$ bsdlabel -R /dev/ad4s2 /label
This will make partition for /tmp (10G), /var (1G), /tmp (12G), /home (rest)

Step 6) newfs and mount
Code:
$ newfs -U /dev/ad4s2.elid
$ newfs -U /dev/ad4s2.elie
$ newfs -U /dev/ad4s2.elif
$ newfs -U /dev/ad4s2.elig
$ mount /dev/ad4s2.elid /usr
$ mount /dev/ad4s2.elie /var
$ mount /dev/ad4s2.elif /tmp
$ mount /dev/ad4s2.elig /home
Step 7) restore files
Code:
$ mkdir /home/files
$ mount /dev/ad4s3d /home/files
$ cd /usr
$ restore -rf /home/files/usr.dump
$ cd /var
$ restore -rf /home/files/var.dump
Step 8) edit files
you need to edit /etc/fstab
for this, i did
Code:
$ mv /etc/fstab /etc/fstab.bak
$ cat /etc/fstab.bak
and using echo manually wrote new /etc/fstab

fstab


Code:
# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3d		/home/files	ufs	rw			2 2
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
#I've marked changes in red

next thing is to load geli during boot, because i'm using generic kernel
Code:
$ echo 'geom_eli_load="YES"'>> /boot/loader.conf
Step 9) reboot
you should be able to reboot in multiuser mode without problems....

Step 10) encrypt swap
turn off swap
Code:
$ swapoff /dev/ad4s1b
again you may want to sanitarize your swap and /dev/ad4s3
Code:
$ dd if=/dev/random of=/dev/ad4s1b bs=1m
Now let's encrypt and mount swap
Code:
$ geli onetime -d -e 3des /dev/ad4s1b
$ swapon /dev/ad4s1b.eli
you need to edit your /etc/fstab
Code:
# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b.eli		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3d		/home/files	ufs	rw			2 2
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
#I've marked changes in red
Step 11) encrypt /dev/ad4s3
unmount, sanitarize, and clear labels
Code:
$ umount /dev/ad4s3d
$ dd if=/dev/random of=/dev/ad4s3 bs=1m
$ echo > /label
$ bsdlabel -R /dev/ad4s3 /label
make 128bytes key
Code:
$ dd if=/dev/random of=/root/files.key bs=128 count=1
initialize geli (this will use keyfile and password)
I don't want to mount it at boot, so that's why i don't use -b option
Code:
$ geli init -s 4096 -K /root/files.key /dev/ad4s3
enter password 2x
$ geli attach -k /root/files.key /dev/ad4s3
enter password
now, there are 2 choices
a) you can newfs -U /dev/ad4s3.eli and use it as is....
b) you can make labels for /dev/ad4s3.eli (as i understand this is better, but i'm not sure)

Step 11.a)
Code:
$ newfs -U /dev/ad4s3.eli
$ mount /dev/ad4s3.eli /home/files
edit fstab
Code:
# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b.eli		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3.eli		/home/files	ufs	rw,noauto		0 0
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
#I've marked changes in red
Step 11.b)
do the same thing as in step 4
and the reinitialize geli, for /dev/ad4s3 (step 11), you don't need to generate new key
and then do same thing as in step 5, but
this time you only need to add one label (d: )
Code:
$ echo 'c: 7600753 0 unused 0 0' > /label
$ echo 'd: * * 4.2BSD' >> /label
$ bsdlabel -R /dev/ad4s3.eli /label
$ newfs -U /dev/ad4s3.elid
2nd line, will make sure, that you use all space on slice for label d

now edit fstab
Code:
# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b.eli		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3.elid		/home/files	ufs	rw[color="red"],noauto		0 0[/color
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
#I've marked changes in red
Attaching /home/files)
next time you reboot, to attach /home/files as root type:
Code:
$ geli attach -k /root/files.key /dev/ad4s3
enter password
$ mount /home/files
and that seams to be it

NOTE
Don't forget passwords
and don't lose key
keep key in safe place (usb stick perhaps)
make backup for key, just in case
it's possible to leave only /boot unencrypted, but for that you might need another HDD
also it is possible to encrypt entire disk, but then you need usb stick with /boot on it, and pc that can boot from flash

to those who wonder, why swap is encrypted separately?
That's because, i don't need password for swap encryption.
it will use one time encryption... so there is no way to decrypt that
Also if necessary you modify it and use it elsewhere later (for example create d: partion)


Resources
man geli
Handbook 18.16.2
handbook 18.17


I hope this was useful for someone...
if you got questions, ask, i will answer....

and if anyone have better idea, how to avoid, annoying step 4, let me know



UPDATE: 1
When you unmount encrypted drive, it will still be accessible (with dd for example)
you need to detach it
Code:
geli detach /dev/ad0s1f.eli
And here's important stuff:
if you use encrypted usb stick.....
don't forget to detach it after you unmount it.....
failing to do so will/may cause panic
this is for everything....
probably including disk images


UPDATE: 2
Quote:
Originally Posted by Carpetsmoker View Post
You can also use a image instead of a ``real'' filesystem, for example on FreeBSD:

First create a image, 100MB in this case:

$ dd if=/dev/zero of=secret.img bs=1024K count=100

Next use mdconfig to create a /dev entry:

# mdconfig -at vnode -f secret.img

Next you can follow the normal stept for creating an encrypted filesystem (i.e. Killasmurf's FreeBSD + Geli), using md0.

You can use
# mdconfig -du0
to detach the device.

This is much more flexible and faster, and you can set it up any time, no need to newfs stuff ...
Before you use
Code:
# mdconfig -du0
to detach device (file in this case), as suggested by Carpetsmoker
make sure you use geli detach
Code:
geli detach /dev/md0.eli
For reasons read update 1

UPDATE: 3
At step 4, you my tray to skip geli detach and continue to step 5 and 6, if there are no weird errors (i had some), if you get errors fall back to this guide (in short to step 4,3,5,6...)

so if you get errors do, 1,2,3,4,3,5,6,7,8,9,10,11
if you don't get errors do 1,2,3,4,5,6,7,8,9,10,11

If you feel confused, ignore this update, and pm me (or make post)..... i'll se if i can improve things)



Another good source:
http://bge-tard.blogspot.com/2007/09...on-system.html

Last edited by graudeejs; 16th November 2008 at 11:40 PM.
Reply With Quote
  #2   (View Single Post)  
Old 21st October 2008
dk_netsvil dk_netsvil is offline
Real Name: Devon
Fdisk Soldier
 
Join Date: May 2008
Location: New York
Posts: 75
Default

killasmurf86, this is a great post with plenty of useful data. When I first started using Geli I found navigating the documentation to be slightly daunting, but you have provided a concise how-to that may make Geli on FreeBSD more accessible to people who would otherwise go with a Linux solution to disk encryption.
Reply With Quote
  #3   (View Single Post)  
Old 21st October 2008
graudeejs's Avatar
graudeejs graudeejs is offline
Real Name: Aldis Berjoza
ISO Quartermaster
 
Join Date: Jul 2008
Location: Riga, Latvia
Posts: 589
Default

Thanks
I used geli for some time, to encrypt my sensitive data, but this is 1st time i went further and encrypted everything except root....

Maybe one day (when i need to reinstall BSD again), i will sit down, and figure how to boot from usb stick, when PC doesn't support booting from usb (i have some ideas in mind)
Reply With Quote
  #4   (View Single Post)  
Old 25th October 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin Tournoij
Tcpdump Spy
 
Join Date: Apr 2008
Location: Ireland
Posts: 2,245
Default

You can also encrypt FS images, which is a much better solution in many cases IMO.

See http://daemonforums.org/showpost.php...2&postcount=23
Reply With Quote
  #5   (View Single Post)  
Old 25th October 2008
Oliver_H's Avatar
Oliver_H Oliver_H is offline
Real Name: Oliver Herold
UNIX lover
 
Join Date: May 2008
Location: Germany
Posts: 427
Default

Nice howto - thx. Are there any know caveats while upgrading .. maybe weekly stables?
__________________
use UNIX or die :-)
Reply With Quote
  #6   (View Single Post)  
Old 25th October 2008
graudeejs's Avatar
graudeejs graudeejs is offline
Real Name: Aldis Berjoza
ISO Quartermaster
 
Join Date: Jul 2008
Location: Riga, Latvia
Posts: 589
Default

Quote:
Originally Posted by cabal View Post
Are there any know caveats while upgrading .. maybe weekly stables?
What do you mean?
Reply With Quote
  #7   (View Single Post)  
Old 25th October 2008
graudeejs's Avatar
graudeejs graudeejs is offline
Real Name: Aldis Berjoza
ISO Quartermaster
 
Join Date: Jul 2008
Location: Riga, Latvia
Posts: 589
Default

Quote:
Originally Posted by Carpetsmoker View Post
You can also encrypt FS images, which is a much better solution in many cases IMO.

See http://daemonforums.org/showpost.php...2&postcount=23
i updated my post, and quoted your's, thanks....
Reply With Quote
  #8   (View Single Post)  
Old 25th October 2008
graudeejs's Avatar
graudeejs graudeejs is offline
Real Name: Aldis Berjoza
ISO Quartermaster
 
Join Date: Jul 2008
Location: Riga, Latvia
Posts: 589
Default

hmm, i found this on net
http://bge-tard.blogspot.com/2007/09...on-system.html
The article is the same, but it will cover how to create boot cd, and make fully encrypted FreeBSD Disk

This is very good alternative to my post, and also might be little faster
Reply With Quote
  #9   (View Single Post)  
Old 25th October 2008
Oliver_H's Avatar
Oliver_H Oliver_H is offline
Real Name: Oliver Herold
UNIX lover
 
Join Date: May 2008
Location: Germany
Posts: 427
Default

Quote:
Originally Posted by killasmurf86 View Post
What do you mean?
Could be possible to lose the encrypted partition after an upgrade. I had some experience with Linux kernel some time ago.
__________________
use UNIX or die :-)
Reply With Quote
Old 26th October 2008
graudeejs's Avatar
graudeejs graudeejs is offline
Real Name: Aldis Berjoza
ISO Quartermaster
 
Join Date: Jul 2008
Location: Riga, Latvia
Posts: 589
Default

I don't think so.....
as long as you have geom_geli loaded, passwords and keys to access it

updating should improve things, not break them

Last edited by graudeejs; 26th October 2008 at 10:11 AM.
Reply With Quote
Reply

Tags
disk, encryption, freebsd, geli, security


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:10 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick