Automatic Geli?

felixd · #1 April 9th, 2012, 18:17

Hi!

Is it possible to recompile geli/kernel to automatically enter with password and/or key? I´ll explain with an example:

If you see a cache system called SpeedR (http://www.speedr.com.br/?locale=en), in their site you can download the ISO and burn it to a CD (http://www.speedr.com.br/rc/speedr-0...rc18.2-x64.iso)

It´s very interesting, because all partitions are encrypted with Geli, but there is no passphrase to enter at boot time or key directions in loader.conf file.

If you mount the partition with another ~~freebsd~~ FreeBSD you see only /boot dir. All files are secure!

At boot time you can see this:

Code:

Timecounters tick every 1.000 msec
ipfw2 initialized, divert enabled, nat enabled, rule-based forwarding enabled, default to accept, logging disabled
load_dn_sched dn_sched FIFO loaded
load_dn_sched dn_sched PRIO loaded
load_dn_sched dn_sched QFQ loaded
load_dn_sched dn_sched RR loaded
load_dn_sched dn_sched WF2Q+ loaded
usbus0: 12Mbps Full Speed USB v1.0
ad0: 20480MB <QEMU HARDDISK 0.10.2> at ata0-master WDMA2 
ugen0.1: <Intel> at usbus0
uhub0: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
ad1: 30720MB <QEMU HARDDISK 0.10.2> at ata0-slave WDMA2 
WARNING: ad0s1 expected rawoffset 0, found 63
uhub0: 2 ports with 2 removable, self powered
GEOM_ELI: Wrong key for ad0s1d. Tries left: 2.
ugen0.2: <QEMU 0.10.2> at usbus0
ums0: <Endpoint1 Interrupt Pipe> on usbus0
ums0: 3 buttons and [Z] coordinates ID=0
GEOM_ELI: Device ad0s1d.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: software
acd0: CDROM <QEMU DVD-ROM/0.10.2> at ata1-slave WDMA2 
SMP: AP CPU #2 Launched!
SMP: AP CPU #3 Launched!
SMP: AP CPU #1 Launched!
GEOM_ELI: Wrong key for ad0s1cd. Tries left: 2.
GEOM_ELI: Cannot create device ad0s1cd.eli.
Trying to mount root from ufs:ad0s1d.eli
GEOM_ELI: Device ad0s1g.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: software
GEOM_ELI: Device ad0s1f.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: software
GEOM_ELI: Device ad0s1e.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: software

How is it possible?

Important: I don't want to get inside this system! I just want to understand how it is possible to automatically mount geli partitions without entering any key or passphrase.

I saw many tutorials but they all ask to enter a passphrase!

Any ideas?

Thanks
Felix

zennybsd · #2 April 10th, 2012, 08:32

Pretty interesting stuff!

**SirDice** · #3 April 10th, 2012, 12:26

You can protect your GELI encrypted partition with a key, a passphrase or both. I'm guessing they only used a key. That would also mean the key is stored somewhere inside the /boot/ partition. Using that key you can decrypt the rest of the disk.

Not so very secure if you think about it. And I really wonder why it was done.

**fonz** · #4 April 10th, 2012, 12:42

Quote:

Originally Posted by SirDice

Not so very secure if you think about it.

Not if the boot partition is on the same physical disk, but if it's on a removable medium such as a USB flash drive it does make sense to me.

@OP: It will undoubtedly be possible to hardwire a password into geli, but you'll have to root around in the source code for that.

Fonz

zennybsd · #5 April 10th, 2012, 17:34

At a first glance of the description above by felixd on speedr, I thought that they first start network service and then get the matching key from a remote server with some authentication servers like freeradius/diameter.

If they have encryption keys embedded to the same physical drive as to where the OS is installed, I do not see any benefit of encryption or did I miss something?

SirDice was right in his observation and I second him! ;-)

**fonz** · #6 April 10th, 2012, 17:54

Quote:

Originally Posted by zennybsd

If they have encryption keys embedded to the same physical drive as to where the OS is installed, I do not see any benefit of encryption or did I miss something?

No, you didn't miss anything. Keyfiles make sense when they are put on a removable medium (e.g. a USB flash drive), but otherwise there's usually not much point.

Fonz

felixd · #7 April 10th, 2012, 22:05

Hello!

The idea is: you can run the system but you cannot access the sources inside it, what is very interesting when you work with PHP, for example.

So, when machine is off nobody can read data from it because it is encrypted.

When you turn the machine on it automatically enters a passphase or key which is hidden somewhere that we cannot detect! Amazing!

My guess is that the keys/passphrase are compiled inside the kernel, so it's quite impossible to access it, but at the same time you can use the system!

I used the system without internet access and it mounted the partition ok! That´s why I think that the "magic" is in the kernel!

Any ideas how it´s done?

Regards
Felix

felixd · #8 April 10th, 2012, 22:09

It has been a challenge for me trying to figure out the logic of this!

zennybsd · #9 April 11th, 2012, 13:08

Quote:

Originally Posted by felixd

Hello!

The idea is: you can run the system but you cannot access the sources inside it, what is very interesting when you work with PHP, for example.

So, when machine is off nobody can read data from it because it is encrypted.

When you turn the machine on it automatically enters a passphase or key which is hidden somewhere that we cannot detect! Amazing!

My guess is that the keys/passphrase are compiled inside the kernel, so it's quite impossible to access it, but at the same time you can use the system!

I used the system without internet access and it mounted the partition ok! That´s why I think that the "magic" is in the kernel!

Any ideas how it´s done?

Regards
Felix

Disclaimer: I could be wrong, if so please reply with reasons.

1) When I mounted the ISO, I see everything in binary including kernel and userland. If it is a binary distribution, it is not possible to see the sources inside.

2) It may be running php but converted to c++ using applications like hip hop and running without apache and php separately.

3) I do not see any security stuff with encryption with this approach because once someone gets access to the hardware, it will automatically spills out everything because the keys are embedded.

4) There is nothing new about a switched off machine not spilling out any data-encrypted or not! If you are concerned that in case somebody pulls out the HDD from the machine and tries to access it with another machine, then it could be possible that the data is not accessible

I am more interested to figure out the working as stated above in 1) and 4) than the remaining two. ;-)

**SirDice** · #10 April 11th, 2012, 15:19

The ISO is just an install disk with a custom sysinstall.

Once installed the root filesystem is indeed encrypted. loader.conf(5) contains instructions:

Code:

vfs.root.mountfrom="ufs:ad0s1d.eli"
rootdev="ad0s1d"

Which you can simply mount on another system:

Code:

geli attach /dev/ada1s1d
# Just press [Enter] when asked for a password
mount /dev/ada1s1d.eli /mnt

Rather pointless really.

zennybsd · #11 April 11th, 2012, 19:04

However, I am interested to know or get some hints to create binaries as I stated in my post in 1) and to lock down a system with a USB-based key and the relevant password extracted from remote servers.

It would be nice to have a system, which when booted first starts the network, loads the keyfile from the USB-disk and then retrieves the associated password from a remote server. It provides double security of the data. Maybe SirDice could throw some light on. ;-)

**SirDice** · #12 April 12th, 2012, 08:04

Quote:

Originally Posted by zennybsd

It would be nice to have a system, which when booted first starts the network, loads the keyfile from the USB-disk and then retrieves the associated password from a remote server. It provides double security of the data. Maybe SirDice could throw some light on. ;-)

That's probably possible. It would need some bit of custom scripting but I guess it could be done. I'd probably skip the passwords though and store the key on a remote server. Not the safest way to do it but it would protect the data in case the server gets stolen.

Crivens · #13 April 12th, 2012, 15:45

One could have a local key for a remote file system image which holds your key which would work with your passphrase to initialize your system beyond /boot.

So booting would involve to first to attach the remote image file to a md device, add the local key to it to create the geli provider and then using the keyfile therein + your passphrase to create the geli device for the rest of the system.

Now loosing any of the three will render the data void, which may or may not be in your interest.

zennybsd · #14 April 13th, 2012, 09:51

@SirDice & @Crivens: In GNU/Linux, something similar is being developed, called Mandos (https://wiki.recompile.se/wiki/Mandos). Besides, OpenQRM (http://www.thehumanape.org/tutorial/) already serves a similar thing, but I am thinking of a solution specific to FreeBSD.

@SirDice:

Quote:

Not the safest way to do it...

Even when the keys are retrieved using ssh?

As Crivens suggested, it would be nice to get the /boot loaded to md with a local keyfile with password handy.
@Crivens:

Quote:

Now loosing any of the three will render the data void, which may or may not be in your interest.

I did see only two: /boot and then password, which is the third? Did I miss something?

Would love to see a howto on your concept in HowTos section (http://forums.freebsd.org/forumdisplay.php?f=39). ;-)

**SirDice** · #15 April 13th, 2012, 10:33

Quote:

Originally Posted by zennybsd

Even when the keys are retrieved using ssh?

Yes, the keys need to be accessible from the host. That means that everybody that has access to the host might be able to find the commands to fetch the keys. Once they have the keys it's pretty much game over.

Crivens · #16 April 13th, 2012, 14:49

Quote:

Originally Posted by zennybsd

@Crivens:

I did see only two: /boot and then password, which is the third? Did I miss something?

Yes, if someone makes away with your (maybe company wide used) keyfile server you are also done for good.

The idea was that you need 3 parts to get the data decrypted on your machine.
You need the keyfile for your data partition (anything but /boot) and the passphrase. These two are seperated and the keyfile is stored on some remote machine, but also in an encrypted form. To access it you need
a) the network connection to the file server which then is subject to some BOFHs firewall skills.
b) the local key file to decrypt the remote keyfile into a file which together with
c) your passphrase gives the key to the local geli provider.

These together give you access, remove one and you have removed access to the files.

zennybsd · #17 April 17th, 2012, 08:45

I am thinking of creating a firmware-type (NanoBSD/MiniBSD) embedded image with the 3-pronged file-access security (remote server, local keyfile on usb stick and passphrase to the keyfile).

I am working on a hobby router project which does not provide root access to the binary firmware from the users like in normal routers in the market in binary form like speedr, while three types of users (admin for customization, support for any support staff for technical tweaks and user for other normal users) who can access the webserver (thttpd) running at port 80. (Please do not mention there are m0n0wall, pfSense and many others build on GNU/Linux, I am aware of them and using, too).

Appreciate if somebody explains what tools and tweaks are needed for such a binary image creation like speedr. ;-) Thanks in advance!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Automatic failover using 2 DSL connections	acleworth	Networking	6	January 19th, 2011 18:34
automatic reboot	ranggadablues	General	2	July 9th, 2010 09:55
automatic snapshots?	wonslung	General	4	July 4th, 2009 17:01
ZFS automatic snapshots utility	tanked	Installation and Maintenance of FreeBSD Ports or Packages	6	June 30th, 2009 20:23
Automatic boot into KDE?	werdigo49	Installing & Upgrading	2	April 30th, 2009 00:55

The Following User Says Thank You to Crivens For This Useful Post:
zennybsd (April 17th, 2012)