geli on exisitng laptop
Hi guys, I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already have setup. The laptop is up and working fine and I don't want to screw it up. It have the default partition layout. I've already used geli to encrypt the swap partition. The default partitioning at install creates / /tmp /usr and /var. I thought I would start with /tmp as I should be able to fix that if I mess up. Some questions... 1. Will each partition have to be mounted with a password? 2. What's the most straight-forward way to go about this without screwing up? I already have the eli module loaded in the /boot/loader.conf so I won't need to re-compile, etc. Thanks -- View this message in context: http://www.nabble.com/geli-on-exisitng-laptop-tp22951183p22951183.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli on exisitng laptop
On Wed, Apr 08, 2009 at 07:06:27AM -0700, new_guy wrote: Hi guys, I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already have setup. The laptop is up and working fine and I don't want to screw it up. It have the default partition layout. I've already used geli to encrypt the swap partition. The default partitioning at install creates / /tmp /usr and /var. I thought I would start with /tmp as I should be able to fix that if I mess up. Some questions... 1. Will each partition have to be mounted with a password? If you plan on converting existing partitions to geli-backed, then each one will require its own initialization. It's up to you on whether or not you wish to use the same password/keyfile -- or different ones -- for each. I personally experiment with geli all the time, and for convenience, I have my primary drive prompt for a passord at boot time. Under my encrypted drive, I use key files without password to mount other devices. From my rc.conf file: geli_devices=ad3 geli_ad3_flags=-p -k /etc/geli/ad3.key geli_ad3_autodetach=NO (then the appropriate entry for ad3.eli in my fstab) This would probably be unnacceptable to those who wear tin-foil hats and think the NSA is out to get them, but it sure beats typing in a high-entropy password for each and every device/partition in your system. One potential gotchya: If you your primary device gets hosed (hardware failure, lost password, corruption), then you won't be able to access the other devices since you can't get access to your keys. I *strongly* suggest that you back up your key file(s) -- I keep 2, one on the USB stick that I use to boot my machine, and one on a webmail account (both gpg-encrypted, of course). Don't forget to encrypt swap (described in the handbook, I think). 2. What's the most straight-forward way to go about this without screwing up? For someone new to this, it would be far easier to start from scratch. However, in your case, I suggest that you free up a partition to start with (/tmp comes to mind here). Experiment with a few geli init incantations in order to get it to prompt for a password at boot time, and then mount the device. Mount it under something like /root2 or /newroot. Then, copy your entire content of / over to the new mountpoint (use tar or rsync, and don't forget to exclude other devices). Once you have that mounting at boot and synced up, you can change the / entry in your current /etc/fstab (make sure the new fstab is correct for the new mounts, too). You system will start booting, and you'll be prompted for a password to unlock the new encrypted device. Then, it'll mount / (the new encrytped device), and once that happens, the old / will be essentially ignored since the new one will be mounted over it, so the new fstab and directory structure will assume control. Once that is working, you can migrate other partitions over, one at a time, until all required devices are encrypted. If you don't want to be prompted for passwords for these other devices, you should use keys instead of passwords and use the rc.conf method I mentioned above. Personally, I'd add a 2nd drive, encrypt it wholesale (ad0.eli), then partition that device in whatever way you wish (/dev/ad0.elia, /dev/ad0.elib, etc. by way of bsdlabel -w ad0.eli ; bsdlabel -e ad0.eli). Then mount those partitions under a /newroot tree, then rsync your entire filesystem tree over to that, then switch your fstab to point to the new root. (again, don't forget to correctly edit the *new* fstab after you sync, or you'l be hating life as you try to fix the mess from the boot loader prompt or a recovery disk). Moving everything back to your newly-encrypted old drive will be more difficult. I cut my geli teeth on the following docs: http://nullpointer.dk/2007/06/05/encrypting-a-freebsd-system-using-geli/ http://events.ccc.de/congress/2005/fahrplan/attachments/586-paper_Complete_Hard_Disk_Encryption.pdf There appear to be quite a few more decent tutorials online these days. Just google freebsd geli encryption. The good news is that many of the methods used for crypto (loading modules from /boot/loader.conf) can be applied to things having gjournal or ZFS running on your root device. In fact, I've run ZFS over geli, and I currently use gjournal over geli. Both work very well. Good luck. -- Geoff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli on exisitng laptop
new_guy wrote: Hi guys, I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already have setup. The laptop is up and working fine and I don't want to screw it up. It have the default partition layout. I've already used geli to encrypt the swap partition. The default partitioning at install creates / /tmp /usr and /var. I thought I would start with /tmp as I should be able to fix that if I mess up. Some questions... 1. Will each partition have to be mounted with a password? 2. What's the most straight-forward way to go about this without screwing up? I already have the eli module loaded in the /boot/loader.conf so I won't need to re-compile, etc. To convert a partition to geli requires you to wipe out all the contents, scribble over the partition with random data to get rid of any remnants of the unencrypted content, set up the encryption keys and then rebuild the file system and recover the data from backup. Yes, you will need to supply some sort of secret value to retrieve the encrypted disk contents. This is usually configured to mean typing in a passphrase at the time the partition is mounted, although it is also possible to store crypto keys on a removable medium such as USB key -- you don't necessarily have to use a pass phrase in that case, although it's a good idea for the most effective security. Once the partition is mounted, you should be able to take the key out and put it in a safe place and still keep running. Depending on your requirements you can encrypt the whole drive -- which while highly secure requires you to have crypto keys etc. on a removable medium and is a little tricky to get working properly -- or you can create a small unencrypted partition which should contain the kernel and necessary crypto bits (ie. the contents of /boot at a minimum) and then encrypt things partition by partition. You will have to type in a pass phrase to mount each different encrypted partition -- to prevent this becoming too onerous, consider using a 'one big partition' layout. Also note that you should encrypt the swap partition, or someone coming into possession of the laptop may be trivially able to recover secret data from it: this is pretty automated and can be achieved by simply editing /etc/fstab to change the mount device to eg. /dev/ad0s1b.eli and rebooting -- an ephemeral key is used, so no typing passphrases is required in this instance. Setting up a swap-backed tmpmfs will then then give you an encrypted /tmp too. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: geli on exisitng laptop
On Wed, Apr 08, 2009 at 07:06:27AM -0700, new_guy wrote: Hi guys, I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already have setup. The laptop is up and working fine and I don't want to screw it up. It have the default partition layout. I've already used geli to encrypt the swap partition. The default partitioning at install creates / /tmp /usr and /var. I thought I would start with /tmp as I should be able to fix that if I mess up. Some questions... 1. Will each partition have to be mounted with a password? You can use a password, a file containing a key or both. See geli(8). The security of an encrypted partition relying solely on a key from another partition is qeustionable at least. 2. What's the most straight-forward way to go about this without screwing up? You cannot encrypt the whole disk. You'll need an unencrypted /boot partition to read the kernel from, and unencrypted boot sector. Furthermore, you cannot encrypt a partition in place. You'll have to move the data somewhere else, unmount the partition, encrypt it, newfs it, attach and mount the encrypted partition and restore the data Personally, I think there is little value or security in encrypting / and /usr. There is really nothing secret there. One could even argue that the well-known content of / might /usr might facilitate known plaintext attacks! The only possible reason is to inconvenience a thief, but one might argue that putting anything but windows on it accomplishes that quite nicely. :-) And if your laptop is not a powerhouse, using encryption is going to eat CPU cycles. My advice would be to put /home (where _your_ data resides) on a seperate partition and encrypt only that partition, with a password. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpQex37aCU1L.pgp Description: PGP signature
Re: geli on exisitng laptop
Roland Smith wrote: My advice would be to put /home (where _your_ data resides) on a seperate partition and encrypt only that partition, with a password. Thanks to everyone for the advice. I really do appreciate it. I like this tip a lot. Since the default FreeBSD installer puts /home as a link to /usr/home... could I just encrypt /usr and get the same result? I'm thinking this would be the best way. Thanks again for the Great tips! -- View this message in context: http://www.nabble.com/geli-on-exisitng-laptop-tp22951183p22956085.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli on exisitng laptop
On Wed, Apr 08, 2009 at 10:48:31AM -0700, new_guy wrote: Roland Smith wrote: My advice would be to put /home (where _your_ data resides) on a seperate partition and encrypt only that partition, with a password. Thanks to everyone for the advice. I really do appreciate it. I like this tip a lot. Since the default FreeBSD installer puts /home as a link to /usr/home... could I just encrypt /usr and get the same result? I'm thinking this would be the best way. You could do that. But since enabling encryption effectively destroys the data on the old partition, you might as well split the old /usr into /usr and /home while you're at it. On my workstation /usr fills about 5GB. So reserving 5-8GB for /usr should be plenty. An encrypted /usr can be a PITA if you have to boot into single user mode for maintenance. You'd have to attach and mount the geli device by hand, instead of having the rc scripts automate it. A word of warning: make sure you have good recent backups before enabling encryption, in case it becomes FUBAR. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpuCHJW02kGa.pgp Description: PGP signature