Tuesday, 3 January 2012

Further adventures with OpenBSD - Encrypting Files systems

So I decided to create an encrypted folder on my workstation to use as a storage device for work related files (which typically have passwords etc located in them). After some trial and error I found the way to do it. Blog entries and the like that reference this material mention using the svnd0 vnode device for the encryption but it doesn't work. I'm not sure if this is an OpenBSD 5 peculiarity or something to do with my Sparc install but I eventually sorted it out.

Note: do all commands as the root user - it's a lot easier.

I created the sparse file to be encrypted:
    # dd if=/dev/zero of=/location/of/secret/file/.cryptfile bs=1024 count=1024000

Note that it's 1GB in size and has a preceeding "." so it's at least a little bit hidden from a casual ls search.

I have to mount .cryptfile somewhere so I created a folder for that too:

    # mkdir /media/crypt (or wherever you'd like to put it)

I have to check what vnodes are available:

    # vnconfig -l
vnd0: not in use
vnd1: not in use
vnd2: not in use
vnd3: not in use

I can choose any of these to associate with my virtual encrypted device. I will use vnd0. Using vnconfig again:

    # sudo vnconfig -ck -v vnd0 .cryptfile
Encryption key: (use something good)
vnd0: 1048576000 bytes on .cryptfile

OK so now we need to create a file system on our device (which is only a single partition) so we need to newfs the "c" slice as this is the whole disk:

    #  sudo newfs /dev/vnd0c
/dev/rvnd0c: 1000.0MB in 2048000 sectors of 512 bytes
5 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
super-block backups (for fsck -b #) at:
 32, 414688, 829344, 1244000, 1658656,

So now to mount our encrypted filesystem to store our secret files!

    # mount /dev/vnd0c /media/crypt

Probably a good idea to make it usable for me:

    # chown -R angus:wheel /media/crypt

And we're off and racing:

# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/wd0a     1005M   42.2M    913M     4%    /
/dev/wd0k     42.8G    1.0G   39.7G     2%    /home
/dev/wd0d      3.9G    224K    3.7G     0%    /tmp
/dev/wd0f      2.0G    450M    1.4G    24%    /usr
/dev/wd0g     1005M    135M    820M    14%    /usr/X11R6
/dev/wd0h      8.6G    1.9G    6.3G    23%    /usr/local
/dev/wd0j      2.0G    2.0K    1.9G     0%    /usr/obj
/dev/wd0i      2.0G    2.0K    1.9G     0%    /usr/src
/dev/wd0e      7.9G   42.7M    7.4G     1%    /var
/dev/vnd0c     984M    2.0K    935M     0%    /media/crypt

I'll be re-creating this whole thing again soon so watch out for any updates or errata.

Check out: 
http://www.backwatcher.org/writing/howtos/obsd-encrypted-filesystem.html for some handy mounting/unmounting scripts.

No comments:

Post a Comment

Adventures with Immich

With the implementation of my Proxmox server it's now time to play with some new applications - and we'll start with Immich, a repla...