You are not logged in.

#1 2013-07-18 15:28:28

N008
Member
Registered: 2013-07-18
Posts: 1

full disk encryption (UFS)

Hi there,

great project and thanks for your enthusiasm!

I wanted to to enable some kind of full disk encryption and kindly wanted to ask, if there are any existing solutions for that?
Because you've enabled geom_eli at startup, I thought it could be done the FreeBSD way like that:

#######################
gpart destroy -F ada0
gpart create -s gpt ada0

gpart add -t freebsd-boot -s 512k -a 4k -l ssdbootblk ada0    # I use 512k instead of 64k
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0
gpart add -t freebsd-ufs -s 512m -l ssdboot -b 1m ada0
gpart add -t freebsd-ufs -l ssdrootfs -a 1m ada0

newfs -U -t /dev/gpt/ssdboot    # I don't want to use neither journaling nor swap on my SSD
mount /dev/gpt/ssdboot /mnt

dd if=/dev/random of=/mnt/encryption.key bs=4096 count=1
geli init -a HMAC/SHA256 -b -B /mnt/ada0p3.eli -e AES-XTS -K /mnt/encryption.key -l 256 -s 4096 /dev/ada0p3
geli attach -k /mnt/encryption.key /dev/ada0p3
dd if=/dev/zero of=/dev/ada0p3.eli bs=1m

umount /mnt
newfs -U -t /dev/ada0p3.eli
mount /dev/ada0p3.eli /mnt
mkdir /mnt/bootdir
mount /dev/ada0p2 /mnt/bootdir

{dhclient, pacstrap etc. ...}
chroot /mnt

echo 'vfs.root.mountfrom="ufs:/dev/ada0p3.eli"' >> /boot/loader.conf
echo 'aesni_load="YES"' >> /boot/loader.conf
echo 'geom_eli_load="YES"' >> /boot/loader.conf
echo 'geli_ada0p3_keyfile0_load="YES"' >> /boot/loader.conf
echo 'geli_ada0p3_keyfile0_type="ada0p3:geli_keyfile0"' >> /boot/loader.conf
echo 'geli_ada0p3_keyfile0_name="/boot/encryption.key"' >> /boot/loader.conf

echo '/dev/ada0p3.eli   /          ufs   rw,noatime   1   1' >> /etc/fstab
echo '/dev/ada0p2       /bootdir   ufs   rw,noatime   1   1' >> /etc/fstab

{setting zoneinfo, hostname etc. ...}

cd /
mv boot bootdir/
ln -fs bootdir/boot
cd bootdir
mv encryption.key ada0p3.eli boot/

{passwd etc. ...}
#######################

Some comments for the single steps could be found in this blog, which helped me to get this stuff (as a script) working on FreeBSD:
https://www.dan.me.uk/blog/2012/05/05/f … ll-almost/
And here another one for the SSD background: http://www.wonkity.com/~wblock/docs/html/ssd.html

I've seen that ArchBSD is using GRUB. How could I tell this boot manager to handle this encrypted .eli device?
Or should I try to use an alternative way?

Thanks for any help.

Offline

#2 2013-07-18 22:13:29

Amzo
Administrator
Registered: 2013-01-21
Posts: 144

Re: full disk encryption (UFS)

Grub is optional. The above should work, as the base is pure FreeBSD. You can also choose freebsd-init if you want to have FreeBSD default init and /etc/rc.conf, so most guides for FreeBSD disk setup will apply.

Offline

#3 2013-07-19 10:32:51

Amzo
Administrator
Registered: 2013-01-21
Posts: 144

Re: full disk encryption (UFS)

Anyways, I've been doing some digging with grub. And you should be able to have an encrypted root and still use grub.

set kFreeBSD.vfs.root.mountfrom=ufs:/dev/ada0p3.eli

Now it's just looking to get the geli modules loaded.

kfreebsd_module_elf     /boot/kernel/aesni.ko
kfreebsd_module_elf     /boot/kernel/geom_eli.ko

As for the rest, I'll have to do some more digging. The modules can be passed arguments 'type=blah"Which could possibly cover the last options to point to the key files.

Offline

Board footer

Powered by FluxBB