"sanitizing" disks: wiping swap, non-allocated space, and file-tails

Allan Fields bsd at afields.ca
Fri Aug 27 22:17:03 PDT 2004 

Hi, sorry I didn't get back on this sooner..

On Sat, Aug 14, 2004 at 05:57:44AM +0100, David Kreil wrote:
> 
> > > I wonder, in particular, what issues I have to expect in wanting to keep
> > > system relevant directories like /var on a gdbe partition.
> > 
> > The gbde attach should occur early enough during multiuser startup to avoid
> > such problems, I don't recall if the provided rc script would be sufficient,
> > I'll test a configuration soon, or let me know if you have any luck.
> 
> Have you yet had a chance to give it a try?
>
> I noticed that there have been additions to the rc.d script, like 
> "gbde_swap_enable". Would you know whether, if I used the rc.d approach, 

Yes, it provides a good way to quickly enable encrypted swap.

> whether that will that be early enough that I can have /var encrypted?
> Else, how/where should I otherwise link in (as early as possible but after the 
> non-US keyboard support has loaded)?

Key roles /var will play during startup:
  - logging: usually syslog or others want to write to /var/log
  - entropy: the entropy database default resides in /var/db (which
    is interesting, what effect does encrypting this have?)
  - run files: some daemons will create pid and lock files, others
    create sockets
  - networking: some network daemons use /var/db
  - mail: sendmail or other MDA might try to deliver some emails
  - savecore: crash dumps would be handled
  - etc..

Therefore you are correct, doing it properly requires that /var be
mounted well before any daemons start.  Following rcorder we get a
ranking w/ a few possible entry points:
  preseedrandom
  rcconf.sh
  initrandom
  dumpon
  vinum
  gbde_swap			<-
  gbde				<- here (works fine, no dependencies on /var yet)
  ccd				// should ccd come before gbde ?
  swap1
  early.sh -> /etc/rc.early	<- or perhaps here for custom attaches
  fsck
  root
  mountcritlocal
  var
  cleanvar	[ /var ]
  addswap
  sysctl
  random	[ /var/db/entropy ]
  NETWORKING	[ /var/db .. ]
  mountcritremote
    syslogd	[ /var/log ]
      savecore	[ /var/crash ]	// If encrypted swap, may not work
  etc.

  # grep -nR var `rcorder /etc/rc.d/*|awk '/mountcritlocal/{nextfile;} {print}'`

Note with the provided gbde rc script: -l/-L is required and expects
lock files to be made in /etc though you can also specify a gbde_lockdir
in /etc/rc.conf such as /etc/bde to store all your keys. (Remember
to take frequent back-ups).

> > There are several approaches to securing /etc, but I can elaborate
> > more after further testing.  The short term approach is not storing
> > private keys, etc. on an unencrypted root.  Support for encrypted
> > root is possible w/ some work, but there are a few issues to sort
> > out first.
> 
> Do I need an encrypted root? What would be the main benefit of this?

The benefit would be to guarantee that nothing of importance is
stored in the clear on /.

Normally / is limited to system files, but as you've mentioned system
files can be private keys or password databases, and it's possible for
something else to be written by anyone w/ sufficient permissions.
Restrictive permissions combined with encryption of sensitive areas
of the file system could prevent most leakage scenarios absent full
disk or root encryption.

> I think I'd need an encrypted /var (as it holds logs, mail&printer spool, 
> ...), and possibly /etc/ssh/ - any other sensitive system areas (besides swap).

You could easily use gbde here by using a vnode backed md, though
there are some more direct approaches to vnode level encryption:

Example md usage
setup:
    mv /etc/ssh /etc/ssh.dist
    mdconfig -a -t vnode -f /etc/ssh.bde -s 4m -u 22
    gbde init /dev/md22 -f /dev/stdin<<-_INIT_
	number_of_keys=4
	random_flush=yes
    _INIT_
    gbde attach /dev/md22
    newfs -o space /dev/md22.bde
    mkdir -p /etc/ssh; chmod 755 /etc/ssh
    mount /dev/md22.bde /etc/ssh
    cp -RPp /etc/ssh.dist/* /etc/ssh &&\
    rm -rf /etc/ssh.dist
startup:
    gbde attach /dev/md22 &&\
    mount /dev/md22.bde /etc/ssh
shutdown:
    umount /dev/md22.bde &&\
    gbde detach /dev/md22

The same of course would apply to any private keys/password databases
and certificates.

> Where do you stand now with your setup? I'd be grateful to learn from your 
> experience.

I've done the encrypted /var and /tmp successfully and w/ provided rc
scripts as well.  I will continue experimentation on GBDE for
root/full system image setups.

I plan to elaborate further on the subject and will post more details
to the lists.  I can try to collect some practical examples, as I
originally set out to do earlier this summer, and put up a web page.

> With many thanks again for your help,
> 
> David.
> 
> ------------------------------------------------------------------------
> Dr David Philip Kreil                 ("`-''-/").___..--''"`-._
> Research Fellow                        `6_ 6  )   `-.  (     ).`-.__.`)
> University of Cambridge                (_Y_.)'  ._   )  `._ `. ``-..-'
> ++44 1223 764107, fax 333992         _..`--'_..-_/  /--'_.' ,'
> www.inference.phy.cam.ac.uk/dpk20   (il),-''  (li),'  ((!.-'
> 

-- 
 Allan Fields, AFRSL - http://afields.ca
 2D4F 6806 D307 0889 6125  C31D F745 0D72 39B4 5541
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20040828/be3a6b84/attachment.bin

More information about the freebsd-fs mailing list