Encrypted Disk Partitions

Sometimes I can see the future. When someone says, “I’ve encrypted my hard drive!” I have a psychic vision of them saying “I’ve lost all my data!” While encrypting a hard drive partition is warranted in some cases, most of the time, it’s just pretentious. In this section, I will do you the courtesy of assuming that you understand when you truly need disk encryption if you will do me the courtesy of not complaining to me when you lose your data.[25]

Creating Encrypted Partitions

OpenBSD includes disk encryption as a bioctl(8) option—specifically, like a RAID discipline. Where disk activity would normally be passed through a RAID discipline, here they pass through an encryption discipline. The encrypted disk even shows up as a softraid device. Much like the support for RAID-5, support for encrypted filesystems is experimental. Although it should work, don’t be shocked if some features are not yet included or if it eats your entire disk. Keep good backups. Reread the previous paragraph. And again—please don’t complain to me when it doesn’t work.

Under OpenBSD, an encrypted volume can include only a single partition. Use the RAID type C to specify an encrypted volume. Here’s, how to create an encrypted volume on the sd4p partition:

  # bioctl -c C -l sd4p softraid0
1 New passphrase:
  Re-type passphrase:
  softraid0: SR CRYPTO volume attached as sd5

When prompted 1, enter a passphrase twice. A good passphrase is several words long, and includes a mix of characters, symbols, numbers, punctuation, and whitespace. The passphrase is the secret code used to encrypt and decrypt data, so the longer and more varied it is, the better. Remember this passphrase; you must enter it again to recover your data. Once you’ve entered your passphrase twice, bioctl creates the encrypted disk device. In this case, it has created encrypted disk softraid0 as disk sd5.

Using Encrypted Partitions

Do not mount this new disk yet! Instead, use fdisk to check our new, encrypted partition.

# fdisk sd5
Disk: sd5       geometry: 6526/255/63 [104855663 Sectors]
Offset: 0       Signature: 0x8BF9
            Starting         Ending         LBA Info:
 #: id      C   H   S -      C   H   S [       start:        size ]
------------------------------------------------------------------------------
 0: D9 230285  63  36 - 134263  55  58 [  3699532529:  2752373385 ] <Unknown ID>
 1: 8C  73068 221  44 - 176434  56  49 [  1173851386:  1660564401 ] <Unknown ID>
 2: C9 218148  78  47 - 141866 243  13 [  3504552580:  3069507328 ] <Unknown ID>
 3: AC 125252   6   1 - 245307  77  22 [  2012173758:  1928688070 ] <Unknown ID>

The underlying disk is blank, and our fdisk output looks like garbage, but this disk is now an encrypted volume.

Now that the encrypted disk exists, create an MBR partition and add disklabel partitions, just as when you add any other disk. Then you can mount your encrypted device partition using the device node—again, just as with any other disk.

To unmount the decrypted partition, destroy the softraid device by passing bioctl the -d argument.

# bioctl -d sd5

To anyone who doesn’t have the passphrase, this partition now looks like random garbage.

Automatic Decryption

If you have an encrypted partition, presumably you don’t want OpenBSD to automatically decrypt and mount it when the system boots. (The whole point of an encrypted partition is that only a person who has the passphrase can access the encrypted data.) Still, I’m not one to tell you not to shoot yourself in the foot, so if you must automatically decrypt the partition, you can do so.

First, create a file containing your passphrase. Give ownership of this file to root and set the permissions to 600 (read-write by owner; no access by other users), and then give this file to bioctl(8) with the -p flag. In this example, the encrypted disk is created as /dev/sd5 and there is a partition on /dev/sd5a. I’ve stored my passphrase in the file /etc/passphrase, so I could run something like this:

# bioctl -c C -l sd4p -p /etc/passphrase softraid0
# mount /dev/sd5a /home/mwlucas

Adding this to /etc/rc.securelevel will mount this encrypted partition at boot.

You should now have a good idea of how to manage OpenBSD disks and filesystems. Next, we’ll look at some of OpenBSD’s special security features.


[21] I don’t know what a dump level of 128m means, other than “not what I want.”

[22] How many users do I mean by “a few?” When synchronizing UIDs across all of your systems begins to really, really annoy you, you no longer have a few users.

[23] You could add a non-RAID partition in the unused space on the larger drive, but that would do terrible things to your system’s performance. Just buy more hard drives, you cheapskate.

[24] If you need to force an error on a hard disk, removing the disk from the machine will certainly do it.

[25] Not that I can help you—all I can do is say “I told you so.” On a related note: You can get tired of anything, no matter how pleasant, if you have to do it often enough.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.91.24