| author | Tomas Zeman <tzeman@volny.cz> |
| Thu, 14 Nov 2013 09:25:21 +0100 | |
| changeset 36 | d65b324282f0 |
| parent 5 | b6a30994129b |
| permissions | -rw-r--r-- |
|
5
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
1 |
http://forums.freebsd.org/showthread.php?t=20382 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
2 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
3 |
Create a virtual disk with a blocksize of 4096 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
4 |
% dd if=/dev/zero of=imageFile bs=4k count=<count of 4k blocks> |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
5 |
Create a file backed device |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
6 |
# mdconfig -a -t vnode -f imageFile -u 0 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
7 |
Now for the configuration of the geli(1) tool. |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
8 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
9 |
Fetch some random data to encrypt the master key with |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
10 |
# dd if=/dev/random of=/root/md0.key bs=64 count=1 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
11 |
Init the device with geli (question for passphrase here) |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
12 |
# geli init -s 4096 -K /root/md0.key /dev/md0 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
13 |
attach geli with the key to the newly created device |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
14 |
# geli attach -k /root/md0.key /dev/md0 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
15 |
This will create a device called /dev/md0.eli which is used in all |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
16 |
future commands. |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
17 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
18 |
Create a new filesystem on the virtual disk |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
19 |
# newfs /dev/md0.eli |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
20 |
Mount the disk |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
21 |
# mount /dev/md0.eli <mountpoint> |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
22 |
Now you can use the disk, do whatever you want with it. |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
23 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
24 |
To securely unmount the device |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
25 |
# umount <mountpoint> |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
26 |
# geli detach md0.eli |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
27 |
To restore from your metadata backups, for example if you accidentially |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
28 |
cleared the device with geli(1). |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
29 |
# geli restore /var/backups/md0.eli /dev/md0 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
30 |
Detach the memory disk completely from the system |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
31 |
# mdconfig -d -u 0 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
32 |
That's about it, with these simple commands you can create, encrypt and |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
33 |
use a virtual memory disk. |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
34 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
35 |
Here are two really simple shell scripts that will take care of mounting |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
36 |
and unmounting the created memory disks: |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
37 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
38 |
mountImage.sh |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
39 |
Code: |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
40 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
41 |
#!/bin/sh |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
42 |
# Basic script to mount memory disks |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
43 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
44 |
mountImage() |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
45 |
{
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
46 |
dev=$1 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
47 |
dir=$2 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
48 |
echo "mounting $dev at $dir" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
49 |
mount $dev $dir |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
50 |
} |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
51 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
52 |
echo "Give me the name of the image to mount" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
53 |
read image |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
54 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
55 |
echo "Where to mount it?" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
56 |
read mountDir |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
57 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
58 |
echo "Where is the geli key?" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
59 |
read geliKey |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
60 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
61 |
baseDevice="/dev/md" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
62 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
63 |
# get the first free minor number to mount it to |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
64 |
for minorNumber in 0 1 2 3 4 5 6 7 8 9 10 |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
65 |
do |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
66 |
device=$baseDevice$minorNumber |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
67 |
if [ -e $device ] |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
68 |
then |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
69 |
else |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
70 |
echo "Found free device $device" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
71 |
break |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
72 |
fi |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
73 |
done |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
74 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
75 |
echo "Using $device to mount $image" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
76 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
77 |
mdconfig -a -t vnode -f $image -u $minorNumber |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
78 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
79 |
exitStatus=$? |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
80 |
if [ $exitStatus -eq 0 ] |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
81 |
then |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
82 |
echo "Created $device from $image" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
83 |
geli attach -k $geliKey $device |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
84 |
if [ $? -eq 0 ] |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
85 |
then |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
86 |
mountImage $device".eli" $mountDir |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
87 |
fi |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
88 |
fi |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
89 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
90 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
91 |
and |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
92 |
umountImage.sh |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
93 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
94 |
Code: |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
95 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
96 |
#!/bin/sh |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
97 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
98 |
echo "What dir to unmount?" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
99 |
read umountDir |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
100 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
101 |
echo "What device to detach with geli? (md0, md1, ...)" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
102 |
read geliDevice |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
103 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
104 |
echo "Whats its minornumber? (0, 1, ...)" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
105 |
read minor |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
106 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
107 |
umount $umountDir |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
108 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
109 |
device="/dev/"$geliDevice".eli" |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
110 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
111 |
if [ -e $device ] |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
112 |
then |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
113 |
geli detach $device |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
114 |
mdconfig -d -u $minor |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
115 |
fi |
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
116 |
|
|
b6a30994129b
freebsd/virtual-disk-encryption howto
Tomas Zeman <tzeman@volny.cz>
parents:
diff
changeset
|
117 |