Creating an encrypted file system with FreeBSD

Posted in Wednesday, November 25, 2009 ¬ 15:59h.webmasterComments Off

The cryptographic tools in the FreeBSD operating system are able to protect data on file systems from highly motivated people with significant resources. Unlike other encryption methods, that encrypt individual files only, such as PGP, the cryptographic tools in FreeBSD transparently encrypt entire file systems. No clear text ever touches the hard drive.

In our example, we will use the geli cryptographic tool in FreeBSD 7.2 to create an encrypted file system on an external hard drive.

The external hard drive can then be used to store and transport files or backup files in a secure manner.

Note, that we have not had succes with FreeBSD 7.0 on two different machines. This version demonstrated kernel panic on USB events and system hang on geli commands in such a way, a kill -9 was not even enough.

We load the dynamic kernel module and make sure, that it is loaded upon boot time in the future.

kldload geom_eli
vi /boot/loader.conf
geom_eli_load="YES"

We attach the external hard drive, start it up and create the master key, that will be used for the encryption. In our example, the external hard drive is recognized as device node da1. We will enter a pass phrase during the creation of the master key. This way, the combination of the key and the pass phrase must be used in order to gain access to the file system. A copy of the master key should be stored far away in a trusted place in another galaxy.

ls /dev/da?
dd if=/dev/random of=/root/ehd.key bs=64 count=1
geli init -s 4096 -K /root/ehd.key /dev/da1

The layer between the external hard drive and the file system is called the provider. The provider has to be attached before creation of the file system is possible. When the provider is attached, it will be recognized by a device node and we can create, mount, list and unmount the file system until we detach the provider again.

geli attach -k /root/ehd.key /dev/da1
ls /dev/da1.eli
dd if=/dev/random of=/dev/da1.eli bs=1m
newfs /dev/da1.eli
mkdir /mnt/ehd
mount /dev/da1.eli /mnt/ehd
df -H
umount /mnt/ehd
geli detach /dev/da1.eli

When we want to use our encrypted file system, such as when synchronizing contents, we attach and turn the external hard drive on, attach the provider, mount the file system, synchronize content, unmount the file system, detach the provider, turn the external hard drive off and detach it.

geli attach -k /root/ehd.key /dev/da1
mount /dev/da1.eli /mnt/ehd
...
umount /mnt/ehd
geli detach /dev/da1.eli

Print
Procedure, System Management

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.