Re: Booting a GELI encrypted hard disk

On Wed, 10 Oct 2007 23:09:10 +0200
Roland Smith <rsmith@xxxxxxxxx> wrote:

On Wed, Oct 10, 2007 at 02:34:16PM -0400, Steve Bertrand wrote:

If you encrypted / and /usr, you might actually make the system more
vulnerable to a known-plaintext attack, because there are a lot of files
with well-known contents there.

I can get away with not having / encrypted, but I need /var encrypted
for databases and logs etc, /tmp so any temporary files are secured and
the swap file (swap very rarely gets used).

You can even encrypt /tmp with a one-time key (see 'geli onetime').

don't forget to do the same with your swap partition :) It may be a bit slower,
but your swap would have quite a bit of interesting info if your system used it.

In my rc.conf, i have :

# ENCRYPTED SWAP PARTITION - OPTIONS
geli_swap_flags="-e aes -l 192 -s 4096 -d"

and /etc/fstab reads:

# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b.eli none swap sw 0 0
[....]


However using a USB device presents it's own problems. If you plug-in a
USB stick there's no telling which device node it ends up with,
depending on how many other USB devices are on the bus. To make device
recognition easier, you should use a GEOM label on the USB stick, so
you'll know which /dev/label/* device node it gets. And you'd probably
have to hack an rc script to mount the USB stick _before_ the system
tries to attach the GELI device(s).
[...]
And remember that this USB stick is another thing you have to back-up
and store in a safe place. It would be bad if you lost your data because
your USB stick died or got lost.

hmm .... I find it much easier to have my normal partitions in clear text, and
then have big files (4 , 8 Gb) which I attach as a device node and mount as
part of my normal directory tree.[1]

Why do this? well, for a number of reason that work for me :
- my backups are VERY simple. Unmount my encrypted disks, back up the lot. How
do you, safely and with commonly available tools, backup a fully encrypted
partition? (yes, you could mount it, backup and encrypt the backup.... but
that's doubling up too much)

- I can take any of my disks and mount it in ANY other freebsd computer with
minimal fuss ( even a freebsd VM).

- i find the whole thing about having to have the USB @ boot time a bit of a
pain.

- same goes for keeping good, safe backups of USB keys...

- it works pretty well for specific work... eg, you want to have all your DB
data kept safely - make the postgresql script depend on your script and you
will be prompted for it on startup.

<totally paranoid>
BTW, is any work done on plausible deniability for geli? such as truecrypt's
feature :
http://www.truecrypt.org/docs/?s=plausible-deniability
</tp>

thanks!!

[1]
---------------------
#!/bin/sh
sudo mdconfig -d -u 11

sudo mdconfig -a -t vnode -f ~/blah.dsk -u 11 && \
sudo geli attach /dev/md11 && \
echo Running fsck... && \
sudo fsck -p -t ufs /dev/md11.eli && \
sudo geli detach -l /dev/md11 && \
sudo mount -o noatime /dev/md11.eli ~/blah

sudo chown betom:betom ~/blah
------------------------------

and, the first time, to create blah.dsk:
dd if=/dev/random of=blah.dsk bs=1024 count=50000

mdconfig -a -t vnode -f ./blah.dsk -u 13

sudo geli init -e AES -l 256 -s 4096 /dev/md13

sudo geli attach /dev/md13

sudo newfs -U /dev/md13.eli
--------------------------------
_________________________
{Beto|Norberto|Numard} Meijome

"I've dirtied my hands writing poetry, for the sake of seduction; that is, for
the sake of a useful cause." Dostoevsky

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Booting a GELI encrypted hard disk
    ... You can even encrypt /tmp with a one-time key (see 'geli onetime'). ... USB drive and have the box remain in operation, or does the key need to ... The rc scripts know they have to load GELI and attach the ...
    (freebsd-questions)
  • Re: opening an encrypted files
    ... On that drive I create encrypted files (using XP Pro's built-in EFS). ... However, I want to be able to access those files when I plug that USB drive into another computer, and I have not been able to figure out how to do it. ... A friend of mine have tested a free product called TrueCrypt to encrypt ... It can create a virtual encrypted disk within a file and mount it ...
    (microsoft.public.windowsxp.general)
  • Re: OT -- USB Enclosures with HOT SWAPPABLE IDE disks
    ... Turn usb drive cabinet back on. ... If you can leave your computer and swap a drive then you're ... decide which hard disk to cold boot from. ... That way I could install linux on my windows box, ...
    (comp.os.linux.misc)
  • Re: USB device driver
    ... I want to encrypt the data that is ... written to the USB storage device. ... application(which will call the filter driver) to write the data to the disk. ... Instead I thought if I could write a USB driver myself that can just ...
    (microsoft.public.development.device.drivers)
  • Re: mlock(1)
    ... >> Keys are a different case anyway. ... >> crypt some pages in swap although that might be complex. ... > laptop (currently suspend dumps into the swap the cleartext key of any ... encrypt the data. ...
    (Linux-Kernel)