Encrypting a zfs zvol device with gbde

Alain De Vos

Alain De Vos

Why would you encrypt a zfs zvol device with gbde ? Because you can, and it is easy.
1.You stay away from system,boot&root partitions so you don't have boot problems.
2. Most private data is relative small. And fits in one directory with subdirectories.
Note : zfs allows encryption by itself but this method is more instructive.

Load the kernel module,
Code: 
kldload geom_bde.ko
Create the zvol
Code: 
zfs create -V 10G ZPOOL/private
Set the volmode
Code: 
zfs set volmode=full ZPOOL/private
Make a lock file directory
Code: 
mkdir /etc/gbde
Encrypt the device. Enter a passphrase. As blocksize you can choose 4096 which is 512*8
Code: 
gbde init /dev/zvol/ZPOOL/private -i -L /etc/gbde/private.lock
Format the encrypted device to UFS
Code: 
newfs -U -j -O 2 /dev/zvol/ZPOOL/private.bde
Mount the encrypted device,
Code: 
mkdir /private
mount /dev/zvol/ZPOOL/private.bde /private
Set ownership & rwx flags,
Code: 
chown myuser:mygroup /private
chmod 700 /private
The encrypted directory /private is ready to be used

A script to attach&mount,
Code: 
/sbin/gbde attach /dev/zvol/ZPOOL/private -l /etc/gbde/private.lock
/sbin/mount /dev/zvol/ZPOOL/private.bde /private
/bin/df -H | /usr/bin/grep private

A script to unmount&detatch,
Code: 
/sbin/umount /private
/bin/df -H | /usr/bin/grep private
/sbin/gbde detach /dev/zvol/ZPOOL/private
 
I'm wondering what would happen in case of an uncorrectable error. With zfs native encryption you would only lose one file, but I'm guessing you would lose the whole gbde partition.

Practically anyone that 's considering the use of gbde should choose geli instead. gbde was introduced in FreeBSD 5 and was, more or less, obsoleted by geli in 6. I don't think it's had any active development in about two decades. geli is much better.

There is a very niche reason for choosing gbde, but IMO the use case is a bit contrived. gbde has a way of destroying key material that can be verified by gbde(8). The idea is that if you are threatened with violence, you can demonstrate that you have made the data permanently inaccessible. Of course that relies on your attacker accepting a lesson in gbde, believing you and also being confident that you haven't hacked gbde(8).

There is a another way of creating small geli devices that I've found useful. You create a file backed md device and put geli + ufs on that. It's more flexible because you can move the backing file around and back it up without mounting.
 
You must log in or register to reply here.
Back
Top