- adding disk encryption with GBDE
- slightly altering kernel
- mount and test encrypted disks
Why encryption?
In real-world an attacker who has physical access to a computer may be able to access your disks and then attach it to another computer. It could be a troubled employee, mama and daddy, spies, CIA, Mafia, Police (identity theft)...
How many of us storing sensitive data (VISA cards, passwords, logins, scanned documents etc...) on unencrypted disks?
I wish to store my sensitive data therefore I decided to test gbde encryption.
64-bit FreeBSD disks encryption with gbde.
1. Add gbde(4) Support to the Kernel Configuration File
[root@server ~]# cd /usr/src/sys/amd64/conf && cp GENERIC MYBSD_BDE [root@server /usr/src/sys/amd64/conf]# vi MYBSD_BDEand add the following line to the kernel configuration file:
options GEOM_BDE
1.1 rebuild my Kernel MYBSD_BDE and restart
# cd /usr/src # make buildkernel KERNCONF=MYBSD_BDE && make installkernel KERNCONF=MYBSD_BDE # reboot2. Create a Directory to Hold gbde Lock Files whatever in my case:
[root@server ~]# mkdir /etc/gbde
The gbde lock file contains information that gbde requires to access encrypted partitions. Without access to the lock file, gbde will not be able to decrypt the data contained in the encrypted partition without significant manual intervention which is not supported by the software. Each encrypted partition uses a separate lock file.
3. Initialize the gbde Partition
This initialization needs to be performed only once per device:
# gbde init /dev/ad2s1g -i -L /etc/gbde/ad2s1g.lock
sector_size = 2048
number_of_keys = 2
BUT it complaints :
"/tmp/temp.WGLhhy415Y: 32 lines, 1136 characters. gbde: sector_size not a proper number"It is bit strange for now as one disk refusing any change but another I altered succesfully:
sector_size = 1024 number_of_keys = 2 save and we are asked for passphrase: /tmp/temp.NytzBhD8QJ: 32 lines, 1135 characters. Enter new passphrase: Reenter new passphrase:
4. Attach an encrypted device:
[root@server ~]# gbde attach /dev/ad2s1g -l /etc/gbde/ad2s1g.lock5. Create a File System on the Encrypted Device
# [root@server ~]# newfs -U -O2 /dev/ad2s1g.bde
/dev/ad2s1g.bde: 156203.3MB (319904448 sectors) block size 16384, fragment size 2048 using 851 cylinder groups of 183.72MB, 11758 blks, 23552 inodes. with soft updates super-block backups (for fsck -b #) at: 160, 376416, 752672, 1128928, 1505184, 1881440, 2257696, 2633952,....It starts printing numbers for a while... Its ok
# mount /dev/ad2s1g.bde /sys
6. Verify That the Encrypted File System is Available:
[root@server ~]# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ad2s1a 989M 512M 398M 56% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/ad2s1e 989M 18K 910M 0% /tmp
/dev/ad2s1f 19G 2.4G 15G 14% /usr
/dev/ad2s1d 4.8G 124M 4.3G 3% /var
/dev/ad2s1g.bde 148G 4.0K 136G 0% /sys
Same steps I did with second ATA HDD:Quick look for HDDs:
[root@server ~]# dmesg -a | egrep "ad[0123]:" ad2: 190781MBCreate mountpoint somewhere, key first initialization, attach, format and mount:at ata1-master UDMA100 ad3: 76318MB at ata1-slave UDMA100
commands:
[root@server ~]# mkdir -p /mnt/2uHR696q
[root@server ~]# gbde init /dev/ad3a -i -L /etc/gbde/ad3a.lock
[root@server ~]# gbde attach /dev/ad3a -l /etc/gbde/ad3a.lock moj N.l.9.6
[root@server ~]# newfs -U -O2 /dev/ad3a.bde
[root@server ~]# mount /dev/ad3a.bde /mnt/2uHR696q/
Verify That the Encrypted File System(s) is (are) available:
[root@server ~]# df -h Filesystem Size Used Avail Capacity Mounted on /dev/ad2s1a 989M 512M 398M 56% / devfs 1.0K 1.0K 0B 100% /dev /dev/ad2s1e 989M 18K 910M 0% /tmp /dev/ad2s1f 19G 2.4G 15G 14% /usr /dev/ad2s1d 4.8G 124M 4.3G 3% /var /dev/ad2s1g.bde 148G 4.0K 136G 0% /sys /dev/ad3a.bde 70G 4.0K 64G 0% /mnt/2uHR696qNext steps later,
my server and me going to sleep,
[root@server ~]# umount /sys/ && umount /mnt/2uHR696q/
[root@server ~]# halt -p
Next:
Mounting Existing Encrypted File Systems, check and copy
Tests: power cut, reset, turn of, etc...
, ,
/( )`
\ \___ / |
/- _ `-/ '
(/\/ \ \ /\
/ / | ` \
O O ) / |
`-^--'`<; '
(_.) _ ) /
`.___/` /
`-----' /
<----. __ / __ \
<----|====O)))==) \) /====
<----' `--' `.__,' \
| |
\ / /\
______( (_ / \______/
,' ,-----' |
`--{__________)"
References:
man gbde
handbook encripting
handbook disks adding
GBDE - GEOM Based Disk Encryption - BSDCon '03. San Mateo, CA, USA
0 komentářů:
Post a Comment