soup4you2
October 17th, 2003, 14:52
Here's some basic steps to making a encripted filesystem.
add options GEOM_BDE Into the kernel and recompile acording to the handbook
Backup any information on that drive because we will be building a newfs.
Create a Directory to Hold gbde Lock Files
mkdir /etc/gbde
A gbde partition must be initialized before it can be used. This initialization needs to be performed only once:
gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c
gbde will open your editor, permitting you to set various configuration options in a template. For use with UFS1 or UFS2, set the sector_size to 2048:
[code:1:e2a4ecce9a]
$FreeBSD: src/sbin/gbde/template.txt,v 1.1 2002/10/20 11:16:13 phk Exp $
#
# Sector size is the smallest unit of data which can be read or written.
# Making it too small decreases performance and decreases available space.
# Making it too large may prevent filesystems from working. 512 is the
# minimum and always safe. For UFS, use the fragment size
#
sector_size = 2048
[/code:1:e2a4ecce9a]
once you close outta that be sure to enter some strong passwords.
Caution: gbde lock files must be backed up together with the contents of any encrypted partitions. While deleting a lock file alone cannot prevent a determined attacker from decrypting a gbde partition, without the lock file, the legitimate owner will be unable to access the data on the encrypted partition without a significant amount of work that is totally unsupported by gbde and its designer.
Attach the Encrypted Partition to the Kernel
gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c
You will be asked to provide the passphrase that you selected during the initialization of the encrypted partition. The new encrypted device will show up in /dev as /dev/device_name.bde
Create a File System on the Encrypted Device
newfs -U -O2 /dev/ad4s1c.bde
Note: The newfs command must be performed on an attached gbde partition which is identified by a *.bde extension to the device name.
mount /dev/ad4s1c.bde /mnt
Check the File System for Errors
Since encrypted file systems cannot yet be listed in /etc/fstab for automatic mounting, the file systems must be checked for errors by running fsck manually before mounting.
fsck -p -t ffs /dev/ad4s1c.bde
sysinstall is incompatible with gbde-encrypted devices. All *.bde devices must be detached from the kernel before starting sysinstall or it will crash during its initial probing for devices. To detach the encrypted device used in our example, use the following command:
gbde detach /dev/ad4s1c
Also note that, as vinum does not use the geom subsystem, you cannot use gbde with vinum volumes.
This is a quick rundown from whats in the handbook. But this info could be quite useful.. And do not do this on your root or usr labels
add options GEOM_BDE Into the kernel and recompile acording to the handbook
Backup any information on that drive because we will be building a newfs.
Create a Directory to Hold gbde Lock Files
mkdir /etc/gbde
A gbde partition must be initialized before it can be used. This initialization needs to be performed only once:
gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c
gbde will open your editor, permitting you to set various configuration options in a template. For use with UFS1 or UFS2, set the sector_size to 2048:
[code:1:e2a4ecce9a]
$FreeBSD: src/sbin/gbde/template.txt,v 1.1 2002/10/20 11:16:13 phk Exp $
#
# Sector size is the smallest unit of data which can be read or written.
# Making it too small decreases performance and decreases available space.
# Making it too large may prevent filesystems from working. 512 is the
# minimum and always safe. For UFS, use the fragment size
#
sector_size = 2048
[/code:1:e2a4ecce9a]
once you close outta that be sure to enter some strong passwords.
Caution: gbde lock files must be backed up together with the contents of any encrypted partitions. While deleting a lock file alone cannot prevent a determined attacker from decrypting a gbde partition, without the lock file, the legitimate owner will be unable to access the data on the encrypted partition without a significant amount of work that is totally unsupported by gbde and its designer.
Attach the Encrypted Partition to the Kernel
gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c
You will be asked to provide the passphrase that you selected during the initialization of the encrypted partition. The new encrypted device will show up in /dev as /dev/device_name.bde
Create a File System on the Encrypted Device
newfs -U -O2 /dev/ad4s1c.bde
Note: The newfs command must be performed on an attached gbde partition which is identified by a *.bde extension to the device name.
mount /dev/ad4s1c.bde /mnt
Check the File System for Errors
Since encrypted file systems cannot yet be listed in /etc/fstab for automatic mounting, the file systems must be checked for errors by running fsck manually before mounting.
fsck -p -t ffs /dev/ad4s1c.bde
sysinstall is incompatible with gbde-encrypted devices. All *.bde devices must be detached from the kernel before starting sysinstall or it will crash during its initial probing for devices. To detach the encrypted device used in our example, use the following command:
gbde detach /dev/ad4s1c
Also note that, as vinum does not use the geom subsystem, you cannot use gbde with vinum volumes.
This is a quick rundown from whats in the handbook. But this info could be quite useful.. And do not do this on your root or usr labels