1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HOWTO: create a GELI password/data safe

Discussion in 'Howtos and FAQs (Moderated)' started by aragon, Nov 24, 2009.

  1. aragon

    aragon New Member

    Thanks Received:
    I've seen friends use Password Safe to store all their many passwords that one typically creates these days, and I decided to put something simple together using FreeBSD's GELI encrypted storage module that I could use for passwords and other bits of simple data.

    So it works like this: create a md(4) device, initialise geli on it, put a file system on it, and mount it into your home dir. Once mounted you can put any kind of data in the directory you need, or structure your own password storage design - it could be as simple as a text file for each password, or as elaborate as a SQLite database for all your passwords, or anything else you can conjure up. I've written a small shell script to make mounting and unmounting easy, and which you can extend to do easy password storage/retrieval. At the end of the day your safe will be stored in a single file in your home directory which you can backup or copy to other systems.

    Setting up GELI has been covered many times, but for completeness I'll cover it again here. Feel free to read geli(8) if you want to delve deeper into it.

    First we're going to create a sparse file that will be our md vnode backend. I'm creating a 100 MB file, but feel free to go bigger or smaller. Thanks to sparse files, the space is only consumed when data is actually written to the file through use over time, not when it is generated with dd:

    dd if=/dev/zero of=gelisafe.md bs=1k seek=100k count=0

    To increase/decrease the size, increase/decrease the seek or bs parameters above. Do not touch the count parameter.

    Now create the md device:

    mdconfig -a -t vnode -f /usr/home/aragon/gelisafe.md

    That command will output the md device name, for example "md0". This will be our GELI provider, so let's now initialise GELI on it:

    geli init /dev/md0

    Enter a passphrase to use for encrypting/decrypting your data.

    Now attach and newfs your GELI device:

    geli attach md0 && newfs -U -O 1 -f 512 -b 4096 -i 8192 /dev/md0.eli

    If all went well you should be able to mount it somewhere. I mount it in my home directory. Be sure to first create the directory where you want it mounted.

    mount /dev/md0.eli /usr/home/aragon/gelisafe

    Now would be a good time to setup permissions/ownership in that filesystem, then umount and detach the GELI device:

    chown aragon:staff /usr/home/aragon/gelisafe
    umount /usr/home/aragon/gelisafe
    geli dettach md0

    If all went well there, go ahead and install security/sudo and add this to your sudoers file using the visudo command:

    aragon  ALL=(ALL) NOPASSWD: /usr/home/aragon/bin/safe.sh

    Of course, you would need to replace "aragon" with your own username.

    Now create ~/bin/safe.sh and paste this into it:

    cleanup () {
    	rm -f ${TMPFILE}
    case "$1" in
    	sudo ${0} _${1}
    	TMPFILE=$( mktemp -t safe ) || exit 1
    	trap cleanup 1 3 5 15 EXIT
    	mdconfig -l -v >${TMPFILE}
    	while read MDDEV MDTYPE MDSIZE MDPATH; do
    		if [ "${MDPATH}" = "${SAFEMD}" ]; then
    			geli status >${TMPFILE} || exit 1
    			while read GDEV GSTATUS GPROV; do
    				if [ "${GPROV}" = "${MDDEV}" ]; then
    					break 2
    			done <${TMPFILE}
    			geli attach -d ${MDDEV} || exit 1
    	done <${TMPFILE}
    	if [ ! ${ATTACHED} ]; then
    		MDDEV="$( mdconfig -a -t vnode -f ${SAFEMD} )" || exit 1
    		geli attach -d ${MDDEV} || exit 1
    	mount |grep -q ^/dev/${MDDEV}.eli && echo already mounted && exit 0
    	mount /dev/${MDDEV}.eli ${SAFEMOUNT}
    	umount ${SAFEMOUNT} || exit 1
    	dd if=/dev/random bs=64k count=1 2>/dev/null |md5
    	echo "$0: <mount|umount>" 1>&2
    	exit 1

    Before saving ~/bin/safe.sh, edit the SAFEMD and SAFEMOUNT variables near the top. Set them to the full path of your md vnode backend and where you want your safe mounted respectively.

    To mount and unmount your safe you should be able to run the following without root permissions:

    safe.sh mount
    safe.sh umount

    If those don't work, you might need to add ~/bin to your PATH.

    As a minor bonus I wrote in a simple password generator too:

    safe.sh genpass

    Once the safe is mounted, it is up to you to put data into it. The script doesn't do any of that for you. For example, if you want to store passwords in it you could just create one text file for each password using the file name as a password identifier. That's all up to you. Feel free to extend safe.sh yourself if you want to add automated password storage/retrieval functions, or whatever else you desire.

    Whenever you're done using your safe, don't forget to unmount it.
  2. graudeejs

    graudeejs Well-Known Member

    Thanks Received:
    for password keeping I recommend security/keepassx

    Use it, love it, can't live without it!