Booting a GELI encrypted hard disk

Norberto Meijome freebsd at meijome.net
Thu Oct 11 04:09:10 PDT 2007 

On Wed, 10 Oct 2007 23:09:10 +0200
Roland Smith <rsmith at xs4all.nl> wrote:

> On Wed, Oct 10, 2007 at 02:34:16PM -0400, Steve Bertrand wrote:

> > > If you encrypted / and /usr, you might actually make the system more
> > > vulnerable to a known-plaintext attack, because there are a lot of files
> > > with well-known contents there.
> > 
> > I can get away with not having / encrypted, but I need /var encrypted
> > for databases and logs etc, /tmp so any temporary files are secured and
> > the swap file (swap very rarely gets used).
> 
> You can even encrypt /tmp with a one-time key (see 'geli onetime').

don't forget to do the same with your swap partition :) It may be a bit slower,
but your swap would have quite a bit of interesting info if your system used it.

In my rc.conf, i have :

# ENCRYPTED SWAP PARTITION - OPTIONS
geli_swap_flags="-e aes -l 192 -s 4096 -d"

and /etc/fstab reads:

# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/ad0s1b.eli         none            swap    sw              0       0
[....]


> However using a USB device presents it's own problems. If you plug-in a
> USB stick there's no telling which device node it ends up with,
> depending on how many other USB devices are on the bus. To make device
> recognition easier, you should use a GEOM label on the USB stick, so
> you'll know which /dev/label/* device node it gets. And you'd probably
> have to hack an rc script to mount the USB stick _before_ the system
> tries to attach the GELI device(s).
[...]
> And remember that this USB stick is another thing you have to back-up
> and store in a safe place. It would be bad if you lost your data because
> your USB stick died or got lost.

hmm .... I find it much easier to have my normal partitions in clear text, and
then have big files (4 , 8 Gb) which I attach as a device node and mount as
part of my normal directory tree.[1]

Why do this? well, for a number of reason that work for me :
- my backups are VERY simple. Unmount my encrypted  disks, back up the lot. How
do you, safely and with commonly available tools, backup a fully encrypted
partition? (yes, you could mount it, backup and encrypt the backup.... but
that's doubling up too much)

- I can take any of my disks and mount it in ANY other freebsd computer with
minimal fuss ( even a freebsd VM).

- i find the whole thing about having to have the USB @ boot time a bit of a
pain.

- same goes for keeping good, safe backups of USB keys... 

- it works pretty well for specific work... eg, you want to have all your DB
data kept safely - make the postgresql script depend on your script and you
will be prompted for it on startup.

<totally paranoid>
BTW, is any work done on plausible deniability for geli? such as truecrypt's
feature : 
http://www.truecrypt.org/docs/?s=plausible-deniability
</tp>

thanks!!

[1]
---------------------
#!/bin/sh
sudo mdconfig -d -u 11
 
sudo  mdconfig -a -t vnode -f ~/blah.dsk -u 11 && \
  sudo geli attach /dev/md11 && \
  echo Running fsck... && \
  sudo fsck -p -t ufs /dev/md11.eli && \
  sudo geli detach -l /dev/md11 && \
  sudo mount -o noatime /dev/md11.eli ~/blah

sudo chown betom:betom ~/blah
------------------------------

and, the first time, to create blah.dsk:
dd if=/dev/random of=blah.dsk bs=1024 count=50000

mdconfig -a -t vnode -f ./blah.dsk -u 13

sudo geli init -e AES -l 256 -s 4096  /dev/md13

sudo geli attach /dev/md13

sudo newfs -U /dev/md13.eli
--------------------------------
_________________________
{Beto|Norberto|Numard} Meijome

"I've dirtied my hands writing poetry, for the sake of seduction; that is, for
the sake of a useful cause." Dostoevsky

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.

More information about the freebsd-questions mailing list