Mercurial Mercurial > notes / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
freebsd/virtual-disk-encryption
author Tomas Zeman <tzeman@volny.cz>
Fri, 16 Sep 2011 15:56:59 +0200
changeset 15 f383a7199631
parent 5 b6a30994129b
permissions -rw-r--r--
java/keytool: pub/priv key, cert. export, self-signed cert + keystore (e.g. for tomcat server)

http://forums.freebsd.org/showthread.php?t=20382

Create a virtual disk with a blocksize of 4096
% dd if=/dev/zero of=imageFile bs=4k count=<count of 4k blocks>
Create a file backed device
# mdconfig -a -t vnode -f imageFile -u 0
Now for the configuration of the geli(1) tool.

Fetch some random data to encrypt the master key with
# dd if=/dev/random of=/root/md0.key bs=64 count=1
Init the device with geli (question for passphrase here)
# geli init -s 4096 -K /root/md0.key /dev/md0
attach geli with the key to the newly created device
# geli attach -k /root/md0.key /dev/md0
This will create a device called /dev/md0.eli which is used in all
future commands.

Create a new filesystem on the virtual disk
# newfs /dev/md0.eli
Mount the disk
# mount /dev/md0.eli <mountpoint>
Now you can use the disk, do whatever you want with it.

To securely unmount the device
# umount <mountpoint>
# geli detach md0.eli
To restore from your metadata backups, for example if you accidentially
cleared the device with geli(1).
# geli restore /var/backups/md0.eli /dev/md0
Detach the memory disk completely from the system
# mdconfig -d -u 0
That's about it, with these simple commands you can create, encrypt and
use a virtual memory disk.

Here are two really simple shell scripts that will take care of mounting
and unmounting the created memory disks:

mountImage.sh
Code:

#!/bin/sh
# Basic script to mount memory disks

mountImage()
{
	dev=$1
	dir=$2
	echo "mounting $dev at $dir"
	mount $dev $dir
}

echo "Give me the name of the image to mount"
read image

echo "Where to mount it?"
read mountDir

echo "Where is the geli key?"
read geliKey

baseDevice="/dev/md"

# get the first free minor number to mount it to
for minorNumber in 0 1 2 3 4 5 6 7 8 9 10
do
	device=$baseDevice$minorNumber
	if [ -e $device ]
	then
	else
		echo "Found free device $device"
		break
	fi
done

echo "Using $device to mount $image"

mdconfig -a -t vnode -f $image -u $minorNumber

exitStatus=$?
if [ $exitStatus -eq 0 ]
then
	echo "Created $device from $image"
	geli attach -k $geliKey $device
	if [ $? -eq 0 ]
	then
		mountImage $device".eli" $mountDir
	fi
fi


and
umountImage.sh

Code:

#!/bin/sh

echo "What dir to unmount?"
read umountDir

echo "What device to detach with geli? (md0, md1, ...)"
read geliDevice

echo "Whats its minornumber? (0, 1, ...)"
read minor

umount $umountDir

device="/dev/"$geliDevice".eli"

if [ -e $device ]
then
	geli detach $device
	mdconfig -d -u $minor
fi
notes