phil10
December 20th, 2010, 20:04
I recently faced a problem where i wanted to encrypt partitions where FreeBSD already was installed on. The alternative to erasing all of your disks is to use Virtual Disks.
Create a virtual disk with a blocksize of 4096
% dd if=/dev/zero of=imageFile bs=4k count=<count of 4k blocks>
Create a file backed device
# mdconfig -a -t vnode -f imageFile -u 0
Now for the configuration of the geli(1) (http://www.freebsd.org/cgi/man.cgi?query=geli) tool.
Fetch some random data to encrypt the master key with
# dd if=/dev/random of=/root/md0.key bs=64 count=1
Init the device with geli (question for passphrase here)
# geli init -s 4096 -K /root/md0.key /dev/md0
attach geli with the key to the newly created device
# geli attach -k /root/md0.key /dev/md0
This will create a device called /dev/md0.eli which is used in all future commands.
Create a new filesystem on the virtual disk
# newfs /dev/md0.eli
Mount the disk
# mount /dev/md0.eli <mountpoint>
Now you can use the disk, do whatever you want with it.
To securely unmount the device
# umount <mountpoint>
# geli detach md0.eli
To restore from your metadata backups, for example if you accidentially cleared the device with geli(1) (http://www.freebsd.org/cgi/man.cgi?query=geli).
# geli restore /var/backups/md0.eli /dev/md0
Detach the memory disk completely from the system
# mdconfig -d -u 0
That's about it, with these simple commands you can create, encrypt and use a virtual memory disk.
For further reading about memory disks in FreeBSD please refer to Virtual Disks (http://www.freebsd.org/doc/handbook/disks-virtual.html).
Here are two really simple shell scripts that will take care of mounting and unmounting the created memory disks:
mountImage.sh
#!/bin/sh
# Basic script to mount memory disks
mountImage()
{
dev=$1
dir=$2
echo "mounting $dev at $dir"
mount $dev $dir
}
echo "Give me the name of the image to mount"
read image
echo "Where to mount it?"
read mountDir
echo "Where is the geli key?"
read geliKey
baseDevice="/dev/md"
# get the first free minor number to mount it to
for minorNumber in 0 1 2 3 4 5 6 7 8 9 10
do
device=$baseDevice$minorNumber
if [ -e $device ]
then
else
echo "Found free device $device"
break
fi
done
echo "Using $device to mount $image"
mdconfig -a -t vnode -f $image -u $minorNumber
exitStatus=$?
if [ $exitStatus -eq 0 ]
then
echo "Created $device from $image"
geli attach -k $geliKey $device
if [ $? -eq 0 ]
then
mountImage $device".eli" $mountDir
fi
fi
and
umountImage.sh
#!/bin/sh
echo "What dir to unmount?"
read umountDir
echo "What device to detach with geli? (md0, md1, ...)"
read geliDevice
echo "Whats its minornumber? (0, 1, ...)"
read minor
umount $umountDir
device="/dev/"$geliDevice".eli"
if [ -e $device ]
then
geli detach $device
mdconfig -d -u $minor
fi
Create a virtual disk with a blocksize of 4096
% dd if=/dev/zero of=imageFile bs=4k count=<count of 4k blocks>
Create a file backed device
# mdconfig -a -t vnode -f imageFile -u 0
Now for the configuration of the geli(1) (http://www.freebsd.org/cgi/man.cgi?query=geli) tool.
Fetch some random data to encrypt the master key with
# dd if=/dev/random of=/root/md0.key bs=64 count=1
Init the device with geli (question for passphrase here)
# geli init -s 4096 -K /root/md0.key /dev/md0
attach geli with the key to the newly created device
# geli attach -k /root/md0.key /dev/md0
This will create a device called /dev/md0.eli which is used in all future commands.
Create a new filesystem on the virtual disk
# newfs /dev/md0.eli
Mount the disk
# mount /dev/md0.eli <mountpoint>
Now you can use the disk, do whatever you want with it.
To securely unmount the device
# umount <mountpoint>
# geli detach md0.eli
To restore from your metadata backups, for example if you accidentially cleared the device with geli(1) (http://www.freebsd.org/cgi/man.cgi?query=geli).
# geli restore /var/backups/md0.eli /dev/md0
Detach the memory disk completely from the system
# mdconfig -d -u 0
That's about it, with these simple commands you can create, encrypt and use a virtual memory disk.
For further reading about memory disks in FreeBSD please refer to Virtual Disks (http://www.freebsd.org/doc/handbook/disks-virtual.html).
Here are two really simple shell scripts that will take care of mounting and unmounting the created memory disks:
mountImage.sh
#!/bin/sh
# Basic script to mount memory disks
mountImage()
{
dev=$1
dir=$2
echo "mounting $dev at $dir"
mount $dev $dir
}
echo "Give me the name of the image to mount"
read image
echo "Where to mount it?"
read mountDir
echo "Where is the geli key?"
read geliKey
baseDevice="/dev/md"
# get the first free minor number to mount it to
for minorNumber in 0 1 2 3 4 5 6 7 8 9 10
do
device=$baseDevice$minorNumber
if [ -e $device ]
then
else
echo "Found free device $device"
break
fi
done
echo "Using $device to mount $image"
mdconfig -a -t vnode -f $image -u $minorNumber
exitStatus=$?
if [ $exitStatus -eq 0 ]
then
echo "Created $device from $image"
geli attach -k $geliKey $device
if [ $? -eq 0 ]
then
mountImage $device".eli" $mountDir
fi
fi
and
umountImage.sh
#!/bin/sh
echo "What dir to unmount?"
read umountDir
echo "What device to detach with geli? (md0, md1, ...)"
read geliDevice
echo "Whats its minornumber? (0, 1, ...)"
read minor
umount $umountDir
device="/dev/"$geliDevice".eli"
if [ -e $device ]
then
geli detach $device
mdconfig -d -u $minor
fi