Yesterday I bough a new 200 GB hard disk for my FreeBSD server. I wanted to use it for backups and private data so I thought of using an encrypted filesystem.
The Geom Based Disk Encryption GBDE is the perfect candidate for such things on FreeBSD. It makes encrypting filesystems and using them transparently very easy.
At first I connected the disk to my server and created a partition on it. I was lazy so I used sysinstall. Normally one would use fdisk to create a slice and bsdlabel to create a partition. This is what sysinstall is doing behind the scenes. Refer to the handbook for how to attach a new drive to FreeBSD.
For the next steps I used the man page of GBDE and the handbook as a reference. Beware the handbook is a litte out-dated for the new auto-mount features but for me it did the job.
After sysinstall I had a new partition on ad1s1 (second IDE disk, fist slice):
bsdlabel ad1s1
# /dev/ad1s1:
8 partitions:
# size offset fstype [fsize bsize bps/cpg]
c: 390716802 0 unused 0 0 # “raw” part, don’t edit
d: 390716802 0 4.2BSD 2048 16384 28552
So ad1s1d is my “raw” partition for GBDE. You have to init the partition with GBDE. If you used sysinstall, be sure that /dev/ad1s1 is not mounted because sysintall will mount the labeled disk to the specified mount point.
gbde init /dev/ad1s1d -L /etc/ad1s1d.lock
/etc/ad1s1d.lock is the lockfile for GBDE. Be sure not to publish it. This is not the keyfile, only lock sector data but its presence would make the attackers job easyer. DO NOT EVER DELETE THIS FILE OR YOUR DATA IS LOST. Now you have to enter the password twice and be sure to remember it or again: all your data on this disk will be lost, when you forget it.
After initializing you have to actually attach the drive in order to make it usable for the system.
gbde attach ad1s1fd-l /etc/ad1s1d.lock
This step will create the device /dev/ad1s1d.bde, the accessible filesystem. Now I have a “normal” partition on that I can create a filesystem on:
newfs -U -m 3 /dev/ad1s1d.bde
Notice the -m 3, this will reserve only 3% of the filesystem for the minimum free space threshold (default is 8%). At first I used the default only to notice that I lost 15GB to this “reserve”. Quite a big reserve I though and lowered it to 5GB. The -U will enable Softupdates on the filesystem.
Now the filesystem is ready and can be mounted.
mkdir /encrypted
mount /dev/ad1s1d.bde /encrypted
In order to detach it, use the following command:
umount /encrypted
gbde detach ad1s1d
This was it, from now on you can use the encrypted filesystem with gbde attach, mount, ..., umount, gbde detach. I also included the umount and gbde detach calls to my /etc/rc.shutdown just to be sure.
If you want to mount the encrypted volume on boot modify /etc/fstab
/dev/adds1d.bde /encrypted ufs rw 0 0
and /etc/rc.conf:
gbde_devices=”AUTO”
You will be prompted on boot for the password. If you do not use this procedure, fsck will not check the encrypted disk, so be sure to include a fsck /dev/ad1s1d.bde before mounting the filesystem.
While I was doing this and reading through GBDE I came across a nice way to easily encrypt swap. Just add a ”.bde” to your swap entry in /etc/fstab:
/dev/ad0s1b.bde none swap sw 0 0
And add this line in /etc/rc.conf
gbde_swap_enable=”YES”
That was easy, wasn’t it?
For more nice features of GBDE like using several keys for decryption refer to the man page. Further I found this german Wiki entry usefull.
