So, as mentioned earlier, I played around with using gbde on memory disks in FreeBSD 6. The following are a few notes. At the very end, I also talk about encrypting the disk partitions used for swap and mounted as “/tmp”.
-
Let’s begin with encrypted memory disks.
First, if not already enabled, turn on gbde in the kernel by adding
options GEOM_BDE #FreeBSD disk encryption
to the kernel configuration (for example, “DKript_Lap1″ as discusssed in a previous post). Then, rebuild the kernel.
- make kernel KERNCONF=DKript_Lap1
(Don’t forget to build and/or copy any kernel modules outside of the kernel build tree to “/boot/kernel” before rebooting – for example, copying “bcmwl5_sys.ko” to “/boot/kernel”, as discussed in a previous post).
Ok, we are creating a file-backed memory disk, so let’s create a file for the memory disk. Here, we create a ~1GB regular file named “md1″ in the directory “/usr/home/emd”.
- dd if=/dev/random of=/usr/home/emd/md1 bs=1K count=1M
Configure the file-backed memory disk.
- mdconfig -a -t vnode -f /usr/home/emd/md1 -u 1
Next, label the new memory disk.
- bsdlabel -w /dev/md1
We are all set to initialize encryption for the memory disk, and this will prompt for a passphrase that will be used as part of deriving encryption keys. (Note: I used the directory “/etc/gbde” for the gbde lock files.)
- gbde init /dev/md1c -L /etc/gbde/md1c.lock
Ok, attach to the encrypted memory disk. (This prompts for the passphrase entered previously.)
- gbde attach md1c -l /etc/gbde/md1c.lock
Create a filesystem on it.
- newfs /dev/md1c.bde
With all that done, mount it.
- mount /dev/md1c.bde /usr/home/emd/enc1
That is about it. In the future, all we have to do to mount this encrypted memory disk after a reboot is configure the memory disk, attach to it with gbde, and then mount it.
- mdconfig -a -t vnode -f /usr/home/emd/md1 -u 1
- gbde attach md1c -l /etc/gbde/md1c.lock
- mount /dev/md1c.bde /usr/home/emd/enc1
Umounting is simply a matter of…
- umount /usr/home/emd/enc1
- gbde detach md1c
(An ugly script for mounting/unmounting the encrypted memory disk setup as described above can be found here.)
So, now we have an encrypted memory disk for storing up to ~1GB of data.
-
Let’s encrypt the disk partition used for swap, which is quite easy on FreeBSD 6. All that has to be done is append “.bde” to the device entries used for swap in “/etc/fstab”. (For example, I changed the swap entry in my “/etc/fstab” from “/dev/ad0s1b none swap sw 0 0″ to “/dev/ad01sb.bde none swap sw 0 0″.) The “/etc/rc.d/encswap” script will then take care of the rest upon boot. (I did make one small modification to “/etc/rc.d/encswap”, which is not absolutely necessary – I changed “md5″ to “sha256″ for hashing the data gathered from “/dev/random”.)
Ok, let’s encrypt the disk partition mounted as “/tmp”. First, I quickly hacked the “/etc/rc.d/gbde” script to encrypt the partition mounted as “/tmp” with a random key. (The hacked “/etc/rc.d/gbde” script can be found here. It requires the specific mount point to be “/tmp”.) After that, add “gbde_devices=”AUTO”" to “/etc/rc.conf” to invoke automatic initialization of gbde devices during boot, and, as with swap, append “.bde” to the device entry in “/etc/fstab” for the disk partition mounted as “/tmp”. (For example, I changed “/dev/ad0s1e /tmp ufs rw 2 2″ to “/dev/ad0s1e.bde /tmp ufs rw 2 2″ in my “/etc/fstab”.) The “/etc/rc.d/gbde” script will then take care of the rest upon boot. (Of course, if things like “/var” are not on an encrypted partition, there may be little temporary files lying around, like in “/var/tmp”. Perhaps symlinking such things to “/tmp” or other points on encrypted partitions would help, like “ln -s /tmp /var/tmp” for “/var/tmp”. Unfortunately, temporary files pop up all over the place.)
As for creating encrypt disk partitions, the gbde commands used on our memory disk are the same type of commands as those you would use on a disk partition. Additionally, for automatic mounting during boot, add “gbde_devices=”AUTO”" to “/etc/rc.conf”, as we did in our “/tmp” discussion, and append “.bde” to the device entries in “/etc/fstab” for the relevant disk partitions, such as the “/etc/fstab” entry changes we made for disk partitions used for swap and and mounted as “/tmp”. Of course, if the partition has data on it that you want to keep, back the data up before setting up disk encryption for the partition and then copy the data back over once disk encryption is properly configured for the partition. And, automatically mount encrypted partitions during boot could result in being prompted for passwords during the boot process.
-
[...] What really caught my attention though was the usage of file-backed guest domains using encrypted (CGD) virtual disks (VND) (pardon my attempt at NetBSD terminology). Domain 0 would setup the encrypted virtual disks and then configure the guest domains to use them. The setup reminded me of my post about using encrypted memory disks in FreeBSD, as this would be a really cool way to use encrypted memory disks. Take those encrypted memory disks and use them for your virtual machines, which could mean that everything that machine tries to write to disk is encrypted first, but without the fanagling necessary to try to setup FreeBSD with boot/root encrypted. Combine that with encrypted swap for domain 0, and perhaps all the bases are covered. Cool stuff. [...]