HOWTO: create a GELI password/data safe

Would you like to share some of your solutions for certain problems? Tips or tricks? Post here. All new topics are automatically moderated.

HOWTO: create a GELI password/data safe

Postby aragon » 24 Nov 2009, 03:59

[SIZE="4"]Introduction[/SIZE]
I've seen friends use Password Safe to store all their many passwords that one typically creates these days, and I decided to put something simple together using FreeBSD's GELI encrypted storage module that I could use for passwords and other bits of simple data.

[SIZE="4"]Description[/SIZE]
So it works like this: create a [man=4]md[/man] device, initialise geli on it, put a file system on it, and mount it into your home dir. Once mounted you can put any kind of data in the directory you need, or structure your own password storage design - it could be as simple as a text file for each password, or as elaborate as a SQLite database for all your passwords, or anything else you can conjure up. I've written a small shell script to make mounting and unmounting easy, and which you can extend to do easy password storage/retrieval. At the end of the day your safe will be stored in a single file in your home directory which you can backup or copy to other systems.

[SIZE="4"]Setup[/SIZE]
Setting up GELI has been covered many times, but for completeness I'll cover it again here. Feel free to read [man=8]geli[/man] if you want to delve deeper into it.

First we're going to create a sparse file that will be our md vnode backend. I'm creating a 100 MB file, but feel free to go bigger or smaller. Thanks to sparse files, the space is only consumed when data is actually written to the file through use over time, not when it is generated with dd:

Code: Select all
dd if=/dev/zero of=gelisafe.md bs=1k seek=100k count=0


To increase/decrease the size, increase/decrease the seek or bs parameters above. Do not touch the count parameter.

Now create the md device:

Code: Select all
mdconfig -a -t vnode -f /usr/home/aragon/gelisafe.md


That command will output the md device name, for example "md0". This will be our GELI provider, so let's now initialise GELI on it:

Code: Select all
geli init /dev/md0


Enter a passphrase to use for encrypting/decrypting your data.

Now attach and newfs your GELI device:

Code: Select all
geli attach md0 && newfs -U -O 1 -f 512 -b 4096 -i 8192 /dev/md0.eli


If all went well you should be able to mount it somewhere. I mount it in my home directory. Be sure to first create the directory where you want it mounted.

Code: Select all
mount /dev/md0.eli /usr/home/aragon/gelisafe


Now would be a good time to setup permissions/ownership in that filesystem, then umount and detach the GELI device:

Code: Select all
chown aragon:staff /usr/home/aragon/gelisafe
umount /usr/home/aragon/gelisafe
geli dettach md0


If all went well there, go ahead and install [port]security/sudo[/port] and add this to your sudoers file using the visudo command:

Code: Select all
aragon  ALL=(ALL) NOPASSWD: /usr/home/aragon/bin/safe.sh


Of course, you would need to replace "aragon" with your own username.

Now create [FILE]~/bin/safe.sh[/FILE] and paste this into it:

Code: Select all
#!/bin/sh

cleanup () {
   rm -f ${TMPFILE}
}

SAFEMD=/usr/home/aragon/gelisafe.md
SAFEMOUNT=/usr/home/aragon/gelisafe

case "$1" in
mount|umount)
   sudo ${0} _${1}
   ;;
_mount)
   TMPFILE=$( mktemp -t safe ) || exit 1
   trap cleanup 1 3 5 15 EXIT
   mdconfig -l -v >${TMPFILE}
   while read MDDEV MDTYPE MDSIZE MDPATH; do
      if [ "${MDPATH}" = "${SAFEMD}" ]; then
         geli status >${TMPFILE} || exit 1
         while read GDEV GSTATUS GPROV; do
            if [ "${GPROV}" = "${MDDEV}" ]; then
               ATTACHED=1
               break 2
            fi
         done <${TMPFILE}
         geli attach -d ${MDDEV} || exit 1
         ATTACHED=1
         break
      fi
   done <${TMPFILE}
   if [ ! ${ATTACHED} ]; then
      MDDEV="$( mdconfig -a -t vnode -f ${SAFEMD} )" || exit 1
      geli attach -d ${MDDEV} || exit 1
   fi
   mount |grep -q ^/dev/${MDDEV}.eli && echo already mounted && exit 0
   mount /dev/${MDDEV}.eli ${SAFEMOUNT}
   ;;
_umount)
   umount ${SAFEMOUNT} || exit 1
   ;;
genpass)
   dd if=/dev/random bs=64k count=1 2>/dev/null |md5
   ;;
*)
   echo "$0: <mount|umount>" 1>&2
   exit 1
   ;;
esac


Before saving [file]~/bin/safe.sh[/file], edit the SAFEMD and SAFEMOUNT variables near the top. Set them to the full path of your md vnode backend and where you want your safe mounted respectively.

[SIZE="4"]Use[/SIZE]
To mount and unmount your safe you should be able to run the following without root permissions:

Code: Select all
safe.sh mount
safe.sh umount


If those don't work, you might need to add [file]~/bin[/file] to your PATH.

As a minor bonus I wrote in a simple password generator too:

Code: Select all
safe.sh genpass


Once the safe is mounted, it is up to you to put data into it. The script doesn't do any of that for you. For example, if you want to store passwords in it you could just create one text file for each password using the file name as a password identifier. That's all up to you. Feel free to extend safe.sh yourself if you want to add automated password storage/retrieval functions, or whatever else you desire.

Whenever you're done using your safe, don't forget to unmount it.
aragon
Giant Locked
 
Posts: 2031
Joined: 16 Nov 2008, 17:04
Location: Cape Town, South Africa

Postby graudeejs » 24 Nov 2009, 07:56

for password keeping I recommend [port]security/keepassx[/port]



Use it, love it, can't live without it!
User avatar
graudeejs
Style(9) Addict
 
Posts: 4591
Joined: 16 Nov 2008, 23:23
Location: Riga, Latvia


Return to Howtos & FAQs (Moderated)

Who is online

Users browsing this forum: No registered users and 0 guests