soup4you2
October 17th, 2003, 14:52
Here's some basic steps to making a encripted filesystem.

add options GEOM_BDE Into the kernel and recompile acording to the handbook

Backup any information on that drive because we will be building a newfs.

Create a Directory to Hold gbde Lock Files

mkdir /etc/gbde

A gbde partition must be initialized before it can be used. This initialization needs to be performed only once:

gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c

gbde will open your editor, permitting you to set various configuration options in a template. For use with UFS1 or UFS2, set the sector_size to 2048:

[code:1:e2a4ecce9a]
$FreeBSD: src/sbin/gbde/template.txt,v 1.1 2002/10/20 11:16:13 phk Exp $
#
# Sector size is the smallest unit of data which can be read or written.
# Making it too small decreases performance and decreases available space.
# Making it too large may prevent filesystems from working. 512 is the
# minimum and always safe. For UFS, use the fragment size
#
sector_size = 2048
[/code:1:e2a4ecce9a]

once you close outta that be sure to enter some strong passwords.

Caution: gbde lock files must be backed up together with the contents of any encrypted partitions. While deleting a lock file alone cannot prevent a determined attacker from decrypting a gbde partition, without the lock file, the legitimate owner will be unable to access the data on the encrypted partition without a significant amount of work that is totally unsupported by gbde and its designer.

Attach the Encrypted Partition to the Kernel

gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c

You will be asked to provide the passphrase that you selected during the initialization of the encrypted partition. The new encrypted device will show up in /dev as /dev/device_name.bde

Create a File System on the Encrypted Device

newfs -U -O2 /dev/ad4s1c.bde

Note: The newfs command must be performed on an attached gbde partition which is identified by a *.bde extension to the device name.

mount /dev/ad4s1c.bde /mnt

Check the File System for Errors

Since encrypted file systems cannot yet be listed in /etc/fstab for automatic mounting, the file systems must be checked for errors by running fsck manually before mounting.

fsck -p -t ffs /dev/ad4s1c.bde

sysinstall is incompatible with gbde-encrypted devices. All *.bde devices must be detached from the kernel before starting sysinstall or it will crash during its initial probing for devices. To detach the encrypted device used in our example, use the following command:

gbde detach /dev/ad4s1c

Also note that, as vinum does not use the geom subsystem, you cannot use gbde with vinum volumes.


This is a quick rundown from whats in the handbook. But this info could be quite useful.. And do not do this on your root or usr labels

soup4you2
October 20th, 2003, 10:01
as with anything security comes w/ a pricetag.. this time performance.. here's some benchmark results

[code:1:ac174cfea5]
TEST CHARACTERISTICS:
2G File
write a 2000 Megabyte sequential file consisting of 4096000 records which are each 512 bytes in length. It then reads the file. It prints the bytes-per-second rate at which the computer can read and write files.

DISK CHARACTERISTICS:
Disk = 20gb Maxtor ATA-66

ACLs: disabled
MAC multilabel: disabled
soft updates: enabled
maximum blocks per file in a cylinder group: 2048

ENCRYPTED -

Wrote a 2000 Megabyte file, ...283.875000 seconds
Reading the file...245.703125 seconds

performance measurements:
7387589 bytes/second for writing the file
8535308 bytes/second for reading the file

NON -

Wrote a 2000 Megabyte file, ...63.054688 seconds
Reading the file...63.546875 seconds

performance measurements:
33259256 bytes/second for writing the file
33001654 bytes/second for reading the file
[/code:1:ac174cfea5]