advert

Wednesday, 28 July 2010

64-bit FreeBSD 8.1-RC2 (GENERIC) setup, part 2

In this part I'm going to:

- adding disk encryption with GBDE
- slightly altering kernel
- mount and test encrypted disks

Why encryption?
In real-world an attacker who has physical access to a computer may be able to access your disks and then attach it to another computer. It could be a troubled employee, mama and daddy, spies, CIA, Mafia, Police (identity theft)...
How many of us storing sensitive data (VISA cards, passwords, logins, scanned documents etc...) on unencrypted disks?

I wish to store my sensitive data therefore I decided to test gbde encryption.

64-bit FreeBSD disks encryption with gbde.

1. Add gbde(4) Support to the Kernel Configuration File

[root@server ~]# cd /usr/src/sys/amd64/conf && cp GENERIC MYBSD_BDE
[root@server /usr/src/sys/amd64/conf]# vi MYBSD_BDE
and add the following line to the kernel configuration file:
options GEOM_BDE

1.1 rebuild my Kernel MYBSD_BDE and restart

# cd /usr/src
# make buildkernel KERNCONF=MYBSD_BDE && make installkernel KERNCONF=MYBSD_BDE
# reboot
2. Create a Directory to Hold gbde Lock Files whatever in my case:
[root@server ~]# mkdir /etc/gbde

The gbde lock file contains information that gbde requires to access encrypted partitions. Without access to the lock file, gbde will not be able to decrypt the data contained in the encrypted partition without significant manual intervention which is not supported by the software. Each encrypted partition uses a separate lock file.

3. Initialize the gbde Partition

This initialization needs to be performed only once per device:

# gbde init /dev/ad2s1g -i -L /etc/gbde/ad2s1g.lock
Command opening editor and here are recomended values for UFS1 and UFS2
sector_size = 2048
number_of_keys = 2

BUT it complaints :
"/tmp/temp.WGLhhy415Y: 32 lines, 1136 characters.
gbde: sector_size not a proper number"
It is bit strange for now as one disk refusing any change but another I altered succesfully:

sector_size     =       1024
number_of_keys  =       2

save and we are asked for passphrase:
/tmp/temp.NytzBhD8QJ: 32 lines, 1135 characters.
Enter new passphrase:
Reenter new passphrase:

4. Attach an encrypted device:

[root@server ~]# gbde attach /dev/ad2s1g -l /etc/gbde/ad2s1g.lock
5. Create a File System on the Encrypted Device

# [root@server ~]# newfs -U -O2 /dev/ad2s1g.bde

/dev/ad2s1g.bde: 156203.3MB (319904448 sectors) block size 16384, fragment size 2048
        using 851 cylinder groups of 183.72MB, 11758 blks, 23552 inodes.
        with soft updates
super-block backups (for fsck -b #) at:
 160, 376416, 752672, 1128928, 1505184, 1881440, 2257696, 2633952,....
It starts printing numbers for a while... Its ok

# mount /dev/ad2s1g.bde /sys

6. Verify That the Encrypted File System is Available:

[root@server ~]# df -h
Filesystem         Size    Used   Avail Capacity  Mounted on
/dev/ad2s1a        989M    512M    398M    56%    /
devfs              1.0K    1.0K      0B   100%    /dev
/dev/ad2s1e        989M     18K    910M     0%    /tmp
/dev/ad2s1f         19G    2.4G     15G    14%    /usr
/dev/ad2s1d        4.8G    124M    4.3G     3%    /var
/dev/ad2s1g.bde    148G    4.0K    136G     0%    /sys
Same steps I did with second ATA HDD:
Quick look for HDDs:

[root@server ~]# dmesg -a | egrep "ad[0123]:"
ad2: 190781MB  at ata1-master UDMA100 
ad3: 76318MB  at ata1-slave UDMA100 
Create mountpoint somewhere, key first initialization, attach, format and mount:
commands:

[root@server ~]# mkdir -p /mnt/2uHR696q
[root@server ~]# gbde init /dev/ad3a -i -L /etc/gbde/ad3a.lock
[root@server ~]# gbde attach /dev/ad3a -l /etc/gbde/ad3a.lock   moj N.l.9.6
[root@server ~]# newfs -U -O2 /dev/ad3a.bde
[root@server ~]# mount /dev/ad3a.bde /mnt/2uHR696q/

Verify That the Encrypted File System(s) is (are) available:

[root@server ~]# df -h
Filesystem         Size    Used   Avail Capacity  Mounted on
/dev/ad2s1a        989M    512M    398M    56%    /
devfs              1.0K    1.0K      0B   100%    /dev
/dev/ad2s1e        989M     18K    910M     0%    /tmp
/dev/ad2s1f         19G    2.4G     15G    14%    /usr
/dev/ad2s1d        4.8G    124M    4.3G     3%    /var
/dev/ad2s1g.bde    148G    4.0K    136G     0%    /sys
/dev/ad3a.bde       70G    4.0K     64G     0%    /mnt/2uHR696q
Next steps later,
my server and me going to sleep,
[root@server ~]# umount /sys/ && umount /mnt/2uHR696q/
[root@server ~]# halt -p

Next:
Mounting Existing Encrypted File Systems, check and copy
Tests: power cut, reset, turn of, etc...


              ,        ,
             /(        )`
             \ \___   / |
             /- _  `-/  '
            (/\/ \ \   /\
            / /   | `    \
            O O   ) /    |
            `-^--'`<;     '
           (_.)  _  )   /
            `.___/`    /
              `-----' /
 <----.     __ / __   \
 <----|====O)))==) \) /====
 <----'    `--' `.__,' \
              |        |
               \       /       /\
          ______( (_  / \______/
        ,'  ,-----'   |
        `--{__________)"

References:
man gbde
handbook encripting
handbook disks adding
GBDE - GEOM Based Disk Encryption - BSDCon '03. San Mateo, CA, USA

0 komentářů:

Post a comment