graudeejs
November 17th, 2008, 00:35
Today i decided to try and set GELI for most of my system....
I would like to use it for entire disk, but my PC can't load from USB stick, so i will leave root unencrypted....
you can leave only boot, unencrypted, but i find, that in my situation, leaving root unencrypted is better, because if anything i can boot in single user mode without problem...
So as you know geli ain't supported by sysinstall
recently i broke some things on my box, and i wanted to reinstall bsd, so that's why
Step 0) preparing
backup your data to some safe place
what do you need?
1x PC
1x HDD
FreeBSD CD or already installed freebsd
patience
Step 1) Get FreeBSD on disk
note: if you got BSD on your disk already, then backup your data, and skip this step
I installed bare minimum base and kernel
my disk is detected as ad4
ad4s1a - / - 512M
ad4s1b - swap - about 512M
ad4s2d - /usr - 10G
ad4s2e - /var - 1G
ad4s2f - /tmp - 12G
ad4s2g - /home - about 5G
ad4s3d - /home/files - rest of disk
Step 2) Reboot in single user mode
Backup /usr and /var to other disk/slice (you will need backups later)
$ kldload geom_eli
$ mount -uo rw /
$ mount -a
$ cd /home/files
$ dump -0Lauf /home/files/usr.dump /usr
$ dump -0Lauf /home/files/var.dump /var
$ dump -0Lauf /home/files/root.dump /
$ cd /
$ umount /usr /var /tmp /home/files /home
now you may want to sanitarize your disk
$ dd if=/dev/random of=/dev/ad4s2 bs=1m
you can increase bs to speed things up (i use 16m or 8m, as my disk has 16m buffer)
$ echo > /label
$ bsdlabel -R /dev/ad4s2 /label
this will clear bsdlabels from ad4s2, this means that you no longer will see
/dev/ad4s2d, /dev/ad4s2e, /dev/ad4s2f, /dev/ad4s2g
Q: Why you'd like to do that?
A: Because we are going to encrypt entire slice /dev/ad4s2
Step 3) Initialize GELI
for this one i won't use keyfile, only password
$ geli init -b -s 4096 /dev/ad4s2
Enter password 2x
$ geli attach /dev/ad4s2
Enter passwod
-b means that password should be asked during boot, so that file systems can be mounted when computer starts
This is important thing, so don't forget to type it
Step 4) Ugly mess with bsdlabel
you won't probably have editor available
that's why i had t use this very UGLY mess
$ bsdlabel -w /dev/ad4s2.eli
$ bsdlabel -A /dev/ad4s2.eli > label
$ geli detach /dev/ad4s2.eli
and now repeat step 3 one time, and go straight to step 5 (skip step 4)
This is necessary to know what values to enter for bsdlabel
and you need to repeat step 3, because otherwise you will get warning otherwise
yes, it sux
Step 5) Edit bsdlabel
$ cat /label
you should see something like this:
# /dev/ad4s2.eli:
2 partitions:
# size offset fstype [fsize bsize bps/cpg]
a: 7600751 2 unused 0 0
c: 7600753 0 unused 0 0 # "raw" part, don't edit
echo line that starts with c:
$ echo 'c: 7600753 0 unused 0 0' > /label
$ echo 'd: 10G * 4.2BSD' >> /label
$ echo 'e: 1G * 4.2BSD' >> /label
$ echo 'f: 12G * 4.2BSD' >> /label
$ echo 'g: * * 4.2BSD' >> /label
$ bsdlabel -R /dev/ad4s2 /label
This will make partition for /tmp (10G), /var (1G), /tmp (12G), /home (rest)
Step 6) newfs and mount
$ newfs -U /dev/ad4s2.elid
$ newfs -U /dev/ad4s2.elie
$ newfs -U /dev/ad4s2.elif
$ newfs -U /dev/ad4s2.elig
$ mount /dev/ad4s2.elid /usr
$ mount /dev/ad4s2.elie /var
$ mount /dev/ad4s2.elif /tmp
$ mount /dev/ad4s2.elig /home
Step 7) restore files
$ mkdir /home/files
$ mount /dev/ad4s3d /home/files
$ cd /usr
$ restore -rf /home/files/usr.dump
$ cd /var
$ restore -rf /home/files/var.dump
Step 8) edit files
you need to edit /etc/fstab
for this, i did
$ mv /etc/fstab /etc/fstab.bak
$ cat /etc/fstab.bak
and using echo manually wrote new /etc/fstab
fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ad4s1b none swap sw 0 0
/dev/ad4s1a / ufs rw 1 1
/dev/ad4s2.elig /home ufs rw 2 2
/dev/ad4s3d /home/files ufs rw 2 2
/dev/ad4s2.elif /tmp ufs rw,noatime,async 2 2
/dev/ad4s2.elid /usr ufs rw 2 2
/dev/ad4s2.elie /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
#I've marked changes in red
next thing is to load geli during boot, because i'm using generic kernel
$ echo 'geom_eli_load="YES"'>> /boot/loader.conf
Step 9) reboot
you should be able to reboot in multiuser mode without problems....
Step 10) encrypt swap
turn off swap
$ swapoff /dev/ad4s1b
again you may want to sanitarize your swap and /dev/ad4s3
$ dd if=/dev/random of=/dev/ad4s1b bs=1m
Now let's encrypt and mount swap
$ geli onetime -d -e 3des /dev/ad4s1b
$ swapon /dev/ad4s1b.eli
you need to edit your /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ad4s1b.eli none swap sw 0 0
/dev/ad4s1a / ufs rw 1 1
/dev/ad4s2.elig /home ufs rw 2 2
/dev/ad4s3d /home/files ufs rw 2 2
/dev/ad4s2.elif /tmp ufs rw,noatime,async 2 2
/dev/ad4s2.elid /usr ufs rw 2 2
/dev/ad4s2.elie /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
#I've marked changes in red
you'll also need to add folowing line to you /etc/rc.conf
geli_swap_flags="-d -e 3des"
Step 11) encrypt /dev/ad4s3
unmount, sanitarize, and clear labels
$ umount /dev/ad4s3d
$ dd if=/dev/random of=/dev/ad4s3 bs=1m
$ echo > /label
$ bsdlabel -R /dev/ad4s3 /label
make 128bytes key
$ dd if=/dev/random of=/root/files.key bs=128 count=1
initialize geli (this will use keyfile and password)
I don't want to mount it at boot, so that's why i don't use -b option
$ geli init -s 4096 -K /root/files.key /dev/ad4s3
enter password 2x
$ geli attach -k /root/files.key /dev/ad4s3
enter password
now, there are 2 choices
a) you can newfs -U /dev/ad4s3.eli and use it as is....
b) you can make labels for /dev/ad4s3.eli (as i understand this is better, but i'm not sure)
Step 11.a)
$ newfs -U /dev/ad4s3.eli
$ mount /dev/ad4s3.eli /home/files
edit fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ad4s1b.eli none swap sw 0 0
/dev/ad4s1a / ufs rw 1 1
/dev/ad4s2.elig /home ufs rw 2 2
/dev/ad4s3.eli /home/files ufs rw,noauto 0 0
/dev/ad4s2.elif /tmp ufs rw,noatime,async 2 2
/dev/ad4s2.elid /usr ufs rw 2 2
/dev/ad4s2.elie /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
#I've marked changes in red
Step 11.b)
do the same thing as in step 4
and the reinitialize geli, for /dev/ad4s3 (step 11), you don't need to generate new key
and then do same thing as in step 5, but
this time you only need to add one label (d: )
$ echo 'c: 7600753 0 unused 0 0' > /label
$ echo 'd: * * 4.2BSD' >> /label
$ bsdlabel -R /dev/ad4s3.eli /label
$ newfs -U /dev/ad4s3.elid
2nd line, will make sure, that you use all space on slice for label d
now edit fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ad4s1b.eli none swap sw 0 0
/dev/ad4s1a / ufs rw 1 1
/dev/ad4s2.elig /home ufs rw 2 2
/dev/ad4s3.elid /home/files ufs rw[color="red"],noauto 0 0[/color
/dev/ad4s2.elif /tmp ufs rw,noatime,async 2 2
/dev/ad4s2.elid /usr ufs rw 2 2
/dev/ad4s2.elie /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
#I've marked changes in red
Attaching /home/files)
next time you reboot, to attach /home/files as root type:
$ geli attach -k /root/files.key /dev/ad4s3
enter password
$ mount /home/files
and that seams to be it
NOTE
Don't forget passwords
and don't lose key
keep key in safe place (usb stick perhaps)
make backup for key, just in case
it's possible to leave only /boot unencrypted, but for that you might need another HDD
also it is possible to encrypt entire disk, but then you need usb stick with /boot on it, and pc that can boot from flash
to those who wonder, why swap is encrypted separately?
That's because, i don't need password for swap encryption.
it will use one time encryption... so there is no way to decrypt that
Also if necessary you modify it and use it elsewhere later (for example create d: partion)
Resources
man geli (http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html)
Handbook 18.16.2 (http://www2.lv.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html)
handbook 18.17 (http://www2.lv.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html)
I hope this was useful for someone...
if you got questions, ask, i will answer....
and if anyone have better idea, how to avoid, annoying step 4, let me know
I would like to use it for entire disk, but my PC can't load from USB stick, so i will leave root unencrypted....
you can leave only boot, unencrypted, but i find, that in my situation, leaving root unencrypted is better, because if anything i can boot in single user mode without problem...
So as you know geli ain't supported by sysinstall
recently i broke some things on my box, and i wanted to reinstall bsd, so that's why
Step 0) preparing
backup your data to some safe place
what do you need?
1x PC
1x HDD
FreeBSD CD or already installed freebsd
patience
Step 1) Get FreeBSD on disk
note: if you got BSD on your disk already, then backup your data, and skip this step
I installed bare minimum base and kernel
my disk is detected as ad4
ad4s1a - / - 512M
ad4s1b - swap - about 512M
ad4s2d - /usr - 10G
ad4s2e - /var - 1G
ad4s2f - /tmp - 12G
ad4s2g - /home - about 5G
ad4s3d - /home/files - rest of disk
Step 2) Reboot in single user mode
Backup /usr and /var to other disk/slice (you will need backups later)
$ kldload geom_eli
$ mount -uo rw /
$ mount -a
$ cd /home/files
$ dump -0Lauf /home/files/usr.dump /usr
$ dump -0Lauf /home/files/var.dump /var
$ dump -0Lauf /home/files/root.dump /
$ cd /
$ umount /usr /var /tmp /home/files /home
now you may want to sanitarize your disk
$ dd if=/dev/random of=/dev/ad4s2 bs=1m
you can increase bs to speed things up (i use 16m or 8m, as my disk has 16m buffer)
$ echo > /label
$ bsdlabel -R /dev/ad4s2 /label
this will clear bsdlabels from ad4s2, this means that you no longer will see
/dev/ad4s2d, /dev/ad4s2e, /dev/ad4s2f, /dev/ad4s2g
Q: Why you'd like to do that?
A: Because we are going to encrypt entire slice /dev/ad4s2
Step 3) Initialize GELI
for this one i won't use keyfile, only password
$ geli init -b -s 4096 /dev/ad4s2
Enter password 2x
$ geli attach /dev/ad4s2
Enter passwod
-b means that password should be asked during boot, so that file systems can be mounted when computer starts
This is important thing, so don't forget to type it
Step 4) Ugly mess with bsdlabel
you won't probably have editor available
that's why i had t use this very UGLY mess
$ bsdlabel -w /dev/ad4s2.eli
$ bsdlabel -A /dev/ad4s2.eli > label
$ geli detach /dev/ad4s2.eli
and now repeat step 3 one time, and go straight to step 5 (skip step 4)
This is necessary to know what values to enter for bsdlabel
and you need to repeat step 3, because otherwise you will get warning otherwise
yes, it sux
Step 5) Edit bsdlabel
$ cat /label
you should see something like this:
# /dev/ad4s2.eli:
2 partitions:
# size offset fstype [fsize bsize bps/cpg]
a: 7600751 2 unused 0 0
c: 7600753 0 unused 0 0 # "raw" part, don't edit
echo line that starts with c:
$ echo 'c: 7600753 0 unused 0 0' > /label
$ echo 'd: 10G * 4.2BSD' >> /label
$ echo 'e: 1G * 4.2BSD' >> /label
$ echo 'f: 12G * 4.2BSD' >> /label
$ echo 'g: * * 4.2BSD' >> /label
$ bsdlabel -R /dev/ad4s2 /label
This will make partition for /tmp (10G), /var (1G), /tmp (12G), /home (rest)
Step 6) newfs and mount
$ newfs -U /dev/ad4s2.elid
$ newfs -U /dev/ad4s2.elie
$ newfs -U /dev/ad4s2.elif
$ newfs -U /dev/ad4s2.elig
$ mount /dev/ad4s2.elid /usr
$ mount /dev/ad4s2.elie /var
$ mount /dev/ad4s2.elif /tmp
$ mount /dev/ad4s2.elig /home
Step 7) restore files
$ mkdir /home/files
$ mount /dev/ad4s3d /home/files
$ cd /usr
$ restore -rf /home/files/usr.dump
$ cd /var
$ restore -rf /home/files/var.dump
Step 8) edit files
you need to edit /etc/fstab
for this, i did
$ mv /etc/fstab /etc/fstab.bak
$ cat /etc/fstab.bak
and using echo manually wrote new /etc/fstab
fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ad4s1b none swap sw 0 0
/dev/ad4s1a / ufs rw 1 1
/dev/ad4s2.elig /home ufs rw 2 2
/dev/ad4s3d /home/files ufs rw 2 2
/dev/ad4s2.elif /tmp ufs rw,noatime,async 2 2
/dev/ad4s2.elid /usr ufs rw 2 2
/dev/ad4s2.elie /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
#I've marked changes in red
next thing is to load geli during boot, because i'm using generic kernel
$ echo 'geom_eli_load="YES"'>> /boot/loader.conf
Step 9) reboot
you should be able to reboot in multiuser mode without problems....
Step 10) encrypt swap
turn off swap
$ swapoff /dev/ad4s1b
again you may want to sanitarize your swap and /dev/ad4s3
$ dd if=/dev/random of=/dev/ad4s1b bs=1m
Now let's encrypt and mount swap
$ geli onetime -d -e 3des /dev/ad4s1b
$ swapon /dev/ad4s1b.eli
you need to edit your /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ad4s1b.eli none swap sw 0 0
/dev/ad4s1a / ufs rw 1 1
/dev/ad4s2.elig /home ufs rw 2 2
/dev/ad4s3d /home/files ufs rw 2 2
/dev/ad4s2.elif /tmp ufs rw,noatime,async 2 2
/dev/ad4s2.elid /usr ufs rw 2 2
/dev/ad4s2.elie /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
#I've marked changes in red
you'll also need to add folowing line to you /etc/rc.conf
geli_swap_flags="-d -e 3des"
Step 11) encrypt /dev/ad4s3
unmount, sanitarize, and clear labels
$ umount /dev/ad4s3d
$ dd if=/dev/random of=/dev/ad4s3 bs=1m
$ echo > /label
$ bsdlabel -R /dev/ad4s3 /label
make 128bytes key
$ dd if=/dev/random of=/root/files.key bs=128 count=1
initialize geli (this will use keyfile and password)
I don't want to mount it at boot, so that's why i don't use -b option
$ geli init -s 4096 -K /root/files.key /dev/ad4s3
enter password 2x
$ geli attach -k /root/files.key /dev/ad4s3
enter password
now, there are 2 choices
a) you can newfs -U /dev/ad4s3.eli and use it as is....
b) you can make labels for /dev/ad4s3.eli (as i understand this is better, but i'm not sure)
Step 11.a)
$ newfs -U /dev/ad4s3.eli
$ mount /dev/ad4s3.eli /home/files
edit fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ad4s1b.eli none swap sw 0 0
/dev/ad4s1a / ufs rw 1 1
/dev/ad4s2.elig /home ufs rw 2 2
/dev/ad4s3.eli /home/files ufs rw,noauto 0 0
/dev/ad4s2.elif /tmp ufs rw,noatime,async 2 2
/dev/ad4s2.elid /usr ufs rw 2 2
/dev/ad4s2.elie /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
#I've marked changes in red
Step 11.b)
do the same thing as in step 4
and the reinitialize geli, for /dev/ad4s3 (step 11), you don't need to generate new key
and then do same thing as in step 5, but
this time you only need to add one label (d: )
$ echo 'c: 7600753 0 unused 0 0' > /label
$ echo 'd: * * 4.2BSD' >> /label
$ bsdlabel -R /dev/ad4s3.eli /label
$ newfs -U /dev/ad4s3.elid
2nd line, will make sure, that you use all space on slice for label d
now edit fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ad4s1b.eli none swap sw 0 0
/dev/ad4s1a / ufs rw 1 1
/dev/ad4s2.elig /home ufs rw 2 2
/dev/ad4s3.elid /home/files ufs rw[color="red"],noauto 0 0[/color
/dev/ad4s2.elif /tmp ufs rw,noatime,async 2 2
/dev/ad4s2.elid /usr ufs rw 2 2
/dev/ad4s2.elie /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
#I've marked changes in red
Attaching /home/files)
next time you reboot, to attach /home/files as root type:
$ geli attach -k /root/files.key /dev/ad4s3
enter password
$ mount /home/files
and that seams to be it
NOTE
Don't forget passwords
and don't lose key
keep key in safe place (usb stick perhaps)
make backup for key, just in case
it's possible to leave only /boot unencrypted, but for that you might need another HDD
also it is possible to encrypt entire disk, but then you need usb stick with /boot on it, and pc that can boot from flash
to those who wonder, why swap is encrypted separately?
That's because, i don't need password for swap encryption.
it will use one time encryption... so there is no way to decrypt that
Also if necessary you modify it and use it elsewhere later (for example create d: partion)
Resources
man geli (http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html)
Handbook 18.16.2 (http://www2.lv.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html)
handbook 18.17 (http://www2.lv.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html)
I hope this was useful for someone...
if you got questions, ask, i will answer....
and if anyone have better idea, how to avoid, annoying step 4, let me know