Encrypted Partitions

Previous page
Table of content
Next page

One of vnconfig(8)'s more interesting features is the ability to associate an encryption key with a vnode device. This means that you can create an encrypted disk partition image on your hard drive. It's not quite as direct as having the partition encrypted directly on the disk, but it's quite effective at protecting your data. To create an encrypted partition you need a file to use as the partition, an encryption key, and the same tools used for mounting disk images.

Creating a Partition File

Our partition file must be the exact size of the file system we want and can initially contain any information we want. We'll have to newfs(8) this new partition anyway, after all! For quickest results, just copy /dev/zero into a file of the size you require. Here, we create a 128MB file.

 # dd 1 if=/dev/zero 2 of=/home/mwlucas/images/encrypted.image 3 bs=1024 4 count=131072 131072+0 records in 131072+0 records out 134217728 bytes transferred in 16.954 secs (7916179 bytes/sec) #

We've used dd(1) before, but because you'll have to make some decisions here we'll dissect this command. The 1 if argument gives the input file we're copying from, and the 2 of argument tells dd(1) where to put the copy. The "bs" argument gives the size of each block copied. The default is 512 bytes, but I'm tired of multiplying everything by half a K, so I've set this to 1,024 bytes or 1K. The 4 count is the number of times the copy from /dev/zero is made. We want to create a 128MB file, and each megabyte is 1,024 bytes, so we copy 131,072 blocks.

Be conservative in sizing the file for your encrypted filesystem image. Each action on this file system must be run through the blowfish(3) encryption engine, so huge encrypted file systems containing everything on your hard drive are not necessarily optimal solutions to data security problems. If you only have a few megs of files that you need to encrypt, you don't need to create a 500MB encrypted disk image!

Partition File Setup

Now, associate that disk image file with a vnode device, much as you would a regular disk image. The only difference is the additional -k argument, which tells vnconfig(8) to request and use an encryption key.

 # vnconfig -ck /dev/svnd0c /home/mwlucas/images/encrypted.image Encryption key:

The vnconfig(8) command will pause until you enter an encryption key. Like passwords, encryption keys should contain a mix of alphanumeric and symbol characters and should not be recognizable words. Encryption keys can contain spaces. Because vnconfig(8) has no idea about what the contents of the file should be, you can enter an incorrect encryption key, and vnconfig(8) will run correctly. You won't know that the key is wrong until you attempt to use the image as a disk partition and cannot mount the partition or access the information in it.

Now that you have a file attached to the vnode device, you can run disklabel(8) on that image and partition it. By default, it will be one large "c" partition.

 # disklabel -E /dev/svnd0c 1 disklabel: Can't get bios geometry: Device not configured Initial label editor (enter '?' for help at any prompt) >

You will see a 1 warning that disklabel(8) cannot get BIOS information for this disk device. That's to be expected — this disk device has nothing to do with the BIOS! disklabel(8) this image file as you would like. For most applications, a single large partition is suitable. Once the image is labeled correctly, create a file system on it.

 # newfs /dev/rsvnd0c

Remember, newfs(8) works directly on the disk, not through the buffer, so you need to use the raw device. Your encrypted partition is now an actual partition instead of a bunch of disk space, so you can mount it as you would any other disk image.

 # mount /dev/svnd0c /mnt

The encrypted partition will remain until you unmount the image file and unconfigure the vnode device.

 # umount /mnt # vnconfig -u /dev/svnd0c

If you unmount the partition, but do not unconfigure the vnode device, the vnode device will still remember the encryption key! The next person who can mount partitions won't need to bypass your encryption key, he can just mount the vnode device you're so kindly left unlocked and configured for him. If you need encrypted file systems, you also need to remember to unconfigure your vnode devices.

Unclean Shutdowns

If your system crashes, the encrypted partition will be forcibly unmounted just like the standard partitions. This means that the partition may have disassociated files or some other problems. Unfortunately, the system will not to fsck(8) this partition upon a reboot. You must perform the fsck(8) manually, which isn't too hard.

First, attach your image file to a vnode device with vnconfig(8) normally, making sure to enter the correct encryption key. Before you run mount(8), however, run fsck(8) by hand to clean up any possible damage.

 # fsck -t ffs /dev/svnd0c

This will run a standard fsck(8) on the partition, just as if the partition was a usual FFS partition on disk. You must specify the file system type with the "-t" flag, however, as fsck(8) cannot readily identify a disk image file's file system.

Incorrect and Changing Keys

Vnconfig(8) has no idea what the data underlying a file is supposed to be; it just ties that data to a bunch of vnodes and attaches the whole mess to a vnode device. After vnconfig(8) prompts you for an encryption key, all transfers to and from that image file are passed through an encryption cycle with that key, whatever it is. This means that you will have no warning that you entered the incorrect encryption key until you attempt to mount the image file.

 # mount /dev/svnd0c /mnt mount_ffs: /dev/svnd0c on /mnt: Inappropriate file type or format #

Mount(8) has tried to examine the data on the vnode device and found only garbage. Unconfigure the vnode device and reenter your encryption key.

Sadly, vnconfig(8) has no provisions for changing the encryption key used on a file system image. (To be pedantic, vnconfig(8) is very much the wrong place to implement such a change because the encryption really has very little to do with vnconfig(8).) If you need to change your encryption key, create a new partition with the desired key, copy the data to the new partition, and erase the old encrypted file.

Now that you understand everything you must about working with disks under OpenBSD, let's take a look at upgrading your operating system.



Previous page
Table of content
Next page
Absolute Openbsd(c) Unix for the Practical Paranoid
Absolute OpenBSD: Unix for the Practical Paranoid
ISBN: 1886411999
EAN: 2147483647
Year: 2005
Pages: 298
Authors: Michael W. Lucas
BUY ON AMAZON
Developing Tablet PC Applications (Charles River Media Programming)
Cisco IOS Cookbook (Cookbooks (OReilly))
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Programming .Net Windows Applications
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy