On Sun, 25 Nov 2007, Pau Amaro-Seoane wrote:
> hi,
>
> I htink this is a trivial question, but since this is newbies, there I go:
>
> I have made two small separate partitions; one for my emails and the
> other one for some very private files. The first partition is called
> /correu and the second one /fitx_confg
>
> I want the two of them encrypted. They are 2G and 100M in size. How
> can I do it and how long does it take to encrypt/ decrypt them on
> boot???
>
> Cheers,
>
> Pau
There is no supported way to do this on OpenBSD, because de Raadt
isn't interested and doesn't consider it useful.
However, nearly the same effect can be achieved with vnconfig.
This, however, would not be exactly what you want, since the files
on disk would remain always encrypted.
Let us say that the partition is /dev/wd0g and that it is to be
mounted on /correu.
Let's say you already have files (unencrypted) on that partition.
First, clear the partitions.
# cd /correu
# tar czvpf /tmp/correu.tgz .
# rm -r -P *
# umount /correu
# newfs /dev/rwd0g
# mount /dev/wd0g /correu
Now create on /correu a file equal to the size of the partition:
# dd if=/dev/urandom of=correu.fs bs=1m count=somethingorother
Associate an svnd device with this file
# vnconfig -k svnd0 /correu/correu.fs
It will prompt for a password. Give it one. Remember it. There's no
way to figure it out later, except to become a terrorist and give your
drive to the police of one of the three or four nations with NSA-like
capabilities.
Build a file system:
# newfs /dev/rsvnd0c
(You could do a disklabel at this point, and create partitions within
svnd0. It is not necessarily scary to use the "c" partition in this
case, since no other partitions are contemplated. [NEVER THE CASE FOR
A HARDDISK -- but this isn't a harddisk.]).
Mount it *over* the other: (Why over? Because we can. It's not
required, but it's somewhat cleaner.)
# cd /
# mount /dev/svnd0c /correu
Restore the files:
# cd /tmp
# tar xzvf correu.tgz -C /correu
Are the files there?
# find /correu
Obliterate the tgz
# rm -P /tmp/correu.tgz
Maybe you'd like to save that tgz for a while. If so, encrypt it
with openssl. (man openssl, look at the ENC command starting about
26% of the way through).
All done. Now, while running, you will see the files in /correu.
Encryption/Decryption will be done when you write/read a file. No
plaintext will ever make it to the disk. (FOR MORE SECURE USE:
/tmp should also be encrypted, and swap, and possibly other files
that you don't want the police to find. There may still be leaks
possible in core files, and leaks through X. /home is a good
candidate for encryption. (What if the police found your porn site
history from Firefox??? All those pictures of tea cozies and underage
hedgehogs in your cache???) Also /var -- otherwise the police will
read your maillogs! Once you get started with this, there's no
real stopping place. Paranoia is open-ended.)
Here's a "mount" output from my system, showing an encrypted filesystem
mounted on /mnt over another partion (sd1g), which holds the associated
encrypted filesystem image.
[EMAIL PROTECTED] root 0:48]# mount
/dev/sd0a on / type ffs (local)
mfs:24282 on /tmp type mfs (asynchronous, local, nodev, size=524288 1K-blocks)
/dev/sd0d on /var type ffs (local, nodev, softdep)
/dev/sd0e on /usr type ffs (local, nodev, softdep)
/dev/sd0f on /home type ffs (local, nodev, softdep)
/dev/sd1d on /exports type ffs (NFS exported, local, softdep)
/dev/sd1g on /mnt type ffs (local)
/dev/svnd0c on /mnt type ffs (local)
[EMAIL PROTECTED] root 0:49]#
[EMAIL PROTECTED] root 0:49]# vnconfig -l
vnd0: covering /mnt/fs.fs on sd1g, inode 3
vnd1: not in use
vnd2: not in use
vnd3: not in use
[EMAIL PROTECTED] root 0:50]#
"fs.fs" is the encrypted filesystem image on /dev/sd1g.
At shutdown, the shutdown routine will deconfigure the svnd and
dismount the filesystems mounted on /correu.
Manual deconfiguration (Caramba! The Secret Police are elbowing
their way through the cyber cafe waving guns and shouting
in coarse, bestial language). You quickly type:
# umount /carreu # unmounts the vnd
# vnconfig -u svnd0 # disassociates the vnd from the filesystem
image.
System is then secure. Later, in the cellar of the Commissariat
of Love, you may decide to share the password with the nice man
with the Taser, but that's a different problem.
(A clever lad might have those commands in a cron job requiring the
user to touch a file of magickal name every ten minutes, (or ten seconds
for delicate work) or they are executed. But this is getting a little
Hollywoodish.)
I *think* I have all the commands right.
- - - - - -
At your next (and every other) boot, you will need to configure
the svnd0 and mount the two filesystems.
# mount /dev/wd0g /correu
# vnconfig -k svnd0 /correu/correu.fs
(give it the password interactively)
# mount /dev/svnd0c /correu
In 4.2, some of this can be done in /etc/fstab and /etc/rc.conf.local
There is no "decent" (secure) way to automatically enter the password.
Do not look for one.
The other fs can be done with svnd1, same-same.
For God's sake, try this out first with a throw away partition and
throw away files before committing to using it "for real". It's important
to understand what a "filesystem image" is.
Man vnd
Man vnconfig
On 4.2, note the stuff about mount_vnd and /etc/fstab
Dave
_______________________________________________
Openbsd-newbies mailing list
[email protected]
http://mailman.theapt.org/listinfo/openbsd-newbies
