Another encrypted root on FreeBSD 9.x blog, multiple partitions with one key!

Yes, I’m bored enough to write a how-to article. I’m consolidating my own FreeBSD crypto strategy here because the advice I got from the other google’d blogs of other random open-source dorks mislead me I feel.

I’m totally geli…. There, now that I’ve alienated anyone who didn’t actually need help, an encrypted filesystem is a good thing for any paranoid weirdo who is afraid of his/her computer being stolen, confiscated (what have you been up to?), or poked at by prying roommates (mine are actually pretty cool). The average person has all kinds of saved passwords, credit card numbers, and hate letters their shrink told them to write but not actually send floating on their hard drive. This is serious stuff people, don’t let the monster in your closet steal it.

A lot of tutorials go for ZFS. Are you building a server for a Fortune 500 company that needs reliable mirrors? No? Then stawp. Are you building a regular desktop system using FreeBSD because GOOD GOD why do all the Linux distributions have to be so needlessly overmanaged? Then chances are you want a separate /home partition (at least) so your personal data survives any mood swing root formats. ZFS will over complicate our lives for that purpose, so let’s be old fashioned and boring.

Get a FreeBSD 9.1 installer that isn’t “minimal”. The DVD is safe that I know of. Begin an installation and when it asks you about partitioning, choose “Shell”. Make sure that $6 4GB USB flash drive you bought at Walmart is plugged in. I mentioned I’m that annoying guy who tells you to put /boot on flash right? No? Whoops, sorry.

gpart destroy -F da0
gpart destroy -F ada0

This kills any lingering boot code floating on your flash drive or your hard drive. Change devices as needed. If it errors out, that typically means there wasn’t any bootcode to kill, so just move forward.
gpart create -s gpt da0
gpart add -s 128 -t freebsd-boot da0
gpart add -t freebsd-ufs -l boot da0
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da0
newfs -U -O2 /dev/gpt/boot

Okay, so we added bootcode to the flash drive and formatted the rest of it’s space to FreeBSD’s native UFS. We’re going to use a keyfile and a password to unlock our hard drive, so if somebody manages to figure out our password or steal our keys (keep your boot close to your crotch), they only have half what they need to read that letter about how your Aunt Betty… nevermind. Moving on…

Let’s mount our flash drive and drop our encryption key on it. I personally named mine “errormesg”, because it amuses me, but will likely not stump anybody smart enough to attempt to crack a 256-bit AES standard. For the example I use ada0.key.

mount /dev/gpt/boot /mnt
dd if=/dev/random of=/mnt/ada0.key bs=4096 count=1

You can skip this entire step if you want. Just don’t use the -K flag for the geli init or the -k flag for the geli attach. You’ll then have a password-only encryption. Use something long and difficult, but that you can actually remember. I assume no responsibility for the loss of your pr0n collection.

kldload geom_eli
geli init -b -e AES-XTS -K /mnt/ada0.key -l 256 -s 4096 /dev/ada0
geli attach -k /mnt/ada0.key /dev/ada0
umount /dev/gpt/boot

You can change the encryption standard after the -e flag if you want and/or know what you’re doing. When the geom_eli driver loads, it should show if your motherboard supports hardware decryption or not. If you’re running applications that are data intensive (say, a database server), this might be relevant. Using a 7200rpm hard drive on a regular desktop machine with an Intel Atom, I can tell you I have no real problem with software decryption.

Anyway, we encrypted the hard disk device, rather than individual partitions under it. This means we don’t have to use a separate password/keyfile for each partition. Minimal headache! Go ahead and partition your hard drive using gpart. I have a 2TB, I did mine as follows:

gpart add -s 50G -t freebsd-ufs -l root ada0.eli
gpart add -s 8G -t freebsd-swap -l swap ada0.eli
gpart add -t freebsd-ufs -l home ada0.eli
newfs -U -O2 /dev/gpt/root
newfs -U -O2 /dev/gpt/home

You may require more partitions. Follow the example and adjust as needed. Now, mount root so we can continue with installation.

mount /dev/gpt/root /mnt
mkdir /mnt/bootdir
mount /dev/gpt/boot /mnt/bootdir

Hit ctrl+d to escape from the shell back to the installer. Continue as with any routine FreeBSD installation. Although you might want to mount /home as well if you’re adding users in the installer. When it asks you if you’d like to enter the shell to add any last minute options, say YES.

We have files to edit! You can use vi if you want, but being an emacs user, I can’t figure that thing out to save my friggin’ life. I use ee and cross my fingers. Add the following lines to /etc/fstab (adjust accordingly):

/dev/gpt/boot    /bootdir        ufs      rw,noatime    1    1
/dev/gpt/root    /            ufs      rw,noatime    1    1
/dev/gpt/home    /home            ufs      rw,noatime    0    0
/dev/gpt/swap    none            swap      sw        0    0

Now let’s rearrange some data:

mv /boot /bootdir
ln -s /bootdir/boot /boot
mv /bootdir/ada0.key /boot

Now create the file /boot/loader.conf and add the following lines to it:

Now for some goofy reason, when it asks you for the passkey on boot, at least on my system, it kind of hangs at first. Mash the enter key until it says something about the password being wrong and you have 2 tries left. Now type the right password in. Hooray! Our system is booting to an encrypted root fs. Unless you plan on doing anything that requires access to /boot (modifying /boot/loader.conf, installing nvidia-driver, bulding a new kernel, etc.), you can safely unmount your flash drive, attach it to your keychain, and keep it in your pocket. If I kept FreeBSD 5 up for a year on an Intel Celeron 800mhz and FreeBSD 7 for nearly 2 years on an UltraSparc IIe, I think it’s safe to say that you can maintain good uptime and not need to plug that thing in very often. I do however suggest making a copy of that encryption keyfile and hiding it somewhere, unless you have a lot of faith in cheap flash drives. I don’t care if it’s a CD-R in your old Vanilla Ice CD case or an awkward email to your girlfriend that she doesn’t understand, put it somewhere. Nothing is permanent, especially flash memory.

Alright jokers, happy compiling.

Leave a Reply