Pars Enterprise FreeBSD

FreeBSD Edition Encryption

Pars Enterprise FreeBSD edition full platform encryption method including Boot system and password on the top with physical token.

PART I - UFS METHOD

Pars Enterprise FreeBSD edition full encryption with UFS filesystem

PART II - ZFS METHOD

Pars Enterprise FreeBSD full encryption with ZFS filesystem

Default values for the current existing customized operating system:

### loading FreeBSD operating system from live environment

# sysctl kern.disks or gpart show ada0/da0

Creating temporary folders to clone the current operating system:

# mkdir /mnt/backup

Mounting backup volume before cloning:

# kldload ext2fs

# mount -t ext2fs /dev/dax /mnt/backup

Cloning the current customized operating system:

# dump -0af /mnt/backup/image.dump /dev/adax

Full formatting storage before encryption:

# gpart destroy -F ada0

# dd if=/dev/urandom of=/dev/ada0 bs=1m count=1

Performing the partitioning scenario after full formatting:

# gpart create -s gpt ada0

# gpart add -t freebsd-swap -l swapfs -s 32g -a 1m ada0

# gpart add -t freebsd-ufs -l rootfs -s 100g -a 1m ada0

# gpart add -t freebsd-ufs -l homefs -a 1m ada0

# gpart destroy -F da0(token)

# dd if=/dev/urandom of=/dev/da0 bs=64k count=1

# gpart create -s gpt da0

# gpart add -t freebsd-boot -s 512k -a 4k da0

# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da0

# gpart set -a active -i 1 da0

# gpart add -t freebsd-ufs -l bootfs -s 1g -a 1m da0

# newfs -O2 -U -j -m6 /dev/gpt/bootfs

# gpart set -a bootme -i 2 da0

Generating physical token and adding it to the current encrypted storage:

# mkdir /mnt/bootvol

# mount /dev/da0s2 /mnt/bootvol

# dd if=/dev/urandom of=/mnt/bootvol/PEOST.bin bs=4096 count=1

# mv /mnt/bootvol/PEOST.bin /mnt/bootvol/.PEOST.bin

# chmod 000 /mnt/bootvol/.PEOST.bin

Starting platform encryption with the following parameters:

# kldload geom_eli

# geli init -a HMAC/SHA256 -b -B /mnt/bootvol/ada0p2.eli -e AES-XTS -K /mnt/bootvol/.PEOST.bin -l 256 -s 4096 /dev/ada0p2

# dd if=/dev/urandom of=/dev/ada0p2.eli bs=1m count=1

# geli attach -k /mnt/bootvol/.PEOST.bin /dev/ada0p2

# newfs -O2 -U -j -m6 /dev/ada0p2.eli

Restoring cloned operating system to created volumes:

# mkdir /mnt/rootvol

# mount /dev/ada0p2.eli /mnt/rootvol

# cd /mnt/rootvol

# restore -rf /mnt/backup/image.dump

Starting platform encryption with the following parameters:

# geli init -a HMAC/SHA256 -b -B /mnt/bootvol/ada0p3.eli -e AES-XTS -K /mnt/bootvol/.PEOST.bin -l 256 -s 4096 /dev/ada0p3

# geli attach -k /mnt/bootvol/.PEOST.bin /dev/ada0p3

# dd if=/dev/urandom of=/dev/ada0p3.eli bs=1m count=1

# newfs -O2 -U -j -m6 /dev/ada0p3.eli

Moving the current home folder contents after encryption:

# mkdir /mnt/homevol

# mount /dev/ada0p5.eli /mnt/homevol

# mv /mnt/rootvol/home/* /mnt/homevol or ln -fs /mnt/rootvol/home/(username) /mnt/homevol/(username)

Moving the current boot folder contents after encryption:

# mkdir /mnt/bootvol

# mv /mnt/rootvol/boot/* /mnt/bootvol or ln -fs /mnt/rootvol/boot /mnt/bootvol

# chmod -R g-rwx,o-rwx /mnt/rootvol/boot

Chrooting the current new created root volume:

# swapon /dev/ada0p1

# mount -t procfs proc /mnt/rootvol/proc

# mount -t devfs devfs /mnt/rootvol/dev

# chroot /mnt/rootvol /bin/csh

Editing loader entries with the following contents:

# vi /boot/loader.conf

# vfs.root.mountfrom="ufs:/dev/ada0p2.eli"

# loader_delay="10000"

# aesni_load="YES"

# geom_eli_load="YES"

# geom_eli_passphrase_prompt="YES"

# geli_ada0p2_keyfile0_load="YES"

# geli_ada0p2_keyfile0_type="ada0p2:geli_keyfile0"

# geli_ada0p2_keyfile0_name="/boot/.PEOST.bin"

# geli_ada0p3_keyfile0_load="YES"

# geli_ada0p3_keyfile0_type="ada0p3:geli_keyfile0"

# geli_ada0p3_keyfile0_name="/boot/.PEOST.bin"

Editing rc entries with the following contents:

# vi /etc/rc.conf

# geli_swap_flags="-e AES-XTS -l 256 -s 4096 -d"

# label solution: vi /boot/loader.rc

# /boot/loader.4th

# start

# load_geli -n 0 /dev/gpt/rootfs /dev/gpt/bootfs/.PEOST.bin

# load_geli -n 0 /dev/gpt/homefs /dev/gpt/bootfs/.PEOST.bin

Editing fstab entries with the following contents:

# vi /etc/fstab

# /dev/ada0p4.eli / ufs rw,noatime 1 1

# /dev/da0s2 /boot ufs rw,noatime 2 2

# /dev/ada0p5.eli /home ufs rw,noatime 2 2

# /dev/ada0p2.eli none swap sw 0 0

Changing user password for the current new restored operating system:

# passwd root

# passwd (username)

Clearing command line interface history and exiting:

# history -cw

Or

# echo > /root/.history && history -c && exit

Unmounting filesystems after modifications:

# umount /dev/dax /dev/da0s2 /dev/ada0p3 /dev/ada0p4.eli /dev/ada0p5.eli

# swapoff /dev/ada0p1

Removing created folders when volumes were unmounted successfully:

# rm -rf /mnt/backup /mnt/bootvol /mnt/rootvol /mnt/homevol

Closing the new current encrypted storage and rebooting:

# geli detach /dev/ada0p4.eli /dev/ada0p5.eli

# sync && reboot

 

BSD Documentation License

Copyright © 2016, Pars Enterprise [info@parsenterprise.com] All rights reserved.

Redistribution and use in source (ParsEnterprise.PDF) and ‘compiled’ forms (SGML, HTML, PDF, PostScript, RTF and so forth) with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code (ParsEnterprise.PDF) must retain the above copyright notice, this list of conditions and the following disclaimer as the first lines of this file unmodified.

2. Redistributions in compiled form (converted to PDF, HTML, RTF and other formats) must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name of the author may not be used to endorse or promote products derived from this documentation without specific prior written permission.

THIS DOCUMENTATION IS PROVIDED BY MAHDI MONTAZERI AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MAHDI MONTAZERI BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Default values for the current existing customized operating system:

### loading FreeBSD operating system from live environment

# sysctl kern.disks or gpart show ada0/da0

Loading required kernel modules:

# kldload opensolaris

# kldload zfs

Full formatting storage before encryption:

# gpart destroy -F dax

# dd if=/dev/urandom of=/dev/dax bs=64k

Cloning the current customized operating system:

# zpool create storage /dev/dax

# zfs set mountpoint=/clone storage

# zfs snapshot -r zroot@clone

# zfs send -Rv zroot@clone | gzip > /storage/rootvol.gz

Full formatting storage before encryption:

# gpart destroy -F ada0

# dd if=/dev/urandom of=/dev/ada0 bs=64k

# gpart destroy -F ada1

# dd if=/dev/urandom of=/dev/ada1 bs=64k

Performing the partitioning scenario after full formatting:

# gpart create -s gpt ada0

# gpart add -t freebsd-swap0 -l swapfs0 -s 32g -a 1m ada0

# gpart add -t freebsd-zfs -l rootfs0 -a 1m ada0

# gpart create -s gpt ada1

# gpart add -t freebsd-boot -s 512k -a 4k ada1

# gpart add -t freebsd-swap1 -l swapfs1 -s 32g -a 1m ada1

# gpart add -t freebsd-zfs -l rootfs1 -a 1m ada1

# gpart destroy -F da0(key)

# dd if=/dev/urandom of=/dev/da0 bs=64k

# gpart create -s gpt da0

# gpart add -t freebsd-boot -s 512k -a 4k da0

# gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 da0

# gpart set -a active -i 1 da0

# gpart add -t freebsd-ufs -l bootfs -s 1g -a 1m da0

# newfs -O2 -U -j -m6 /dev/gpt/bootfs

Generating physical token and adding it to the current encrypted storage:

# mkdir /mnt/bootvol

# mount /dev/da0s1 /mnt/bootvol

# dd if=/dev/urandom of=/mnt/bootvol/PEOST.bin bs=4096 count=1

# mv /mnt/bootvol/PEOST.bin /mnt/bootvol/.PEOST.bin

# chmod 000 /mnt/bootvol/.PEOST.bin

Loading required kernel modules:

# kldload crypto

# kldload geom_mirror

# kldload geom_eli

Creating swap space filesystem including encryption:

# gmirror label -b load -F swapfs /dev/gpt/swapfs0 /dev/gpt/swapfs1

Starting platform encryption with the following parameters:

# geli init -a HMAC/SHA256 -b -B /mnt/bootvol/rootfs0.eli -e AES-XTS -K /mnt/bootvol/.PEOST.bin -l 256 -s 4096 /dev/gpt/rootfs0

# dd if=/dev/urandom of=/dev/gpt/rootfs0.eli bs=1m

# geli attach -k /mnt/bootvol/.PEOST.bin /dev/gpt/rootfs0

# geli init -a HMAC/SHA256 -b -B /mnt/bootvol/rootfs1.eli -e AES-XTS -K /mnt/bootvol/.PEOST.bin -l 256 -s 4096 /dev/gpt/rootfs1

# dd if=/dev/urandom of=/dev/gpt/rootfs1.eli bs=1m

# geli attach -k /mnt/bootvol/.PEOST.bin /dev/gpt/rootfs1

Managing logical volumes before restoration:

# zpool create zroot mirror /dev/gpt/rootfs0.eli /dev/gpt/rootfs1.eli

# zfs create -o canmount=noauto -o mountpoint=none zroot/ROOT

# zfs create -o mountpoint=/ zroot/ROOT/default

# zfs set checksum=sha256 zroot

# zfs set dedup=on zroot

# zfs set compression=gzip zroot

# zfs create -o compression=on -o exec=on -o setuid=off -o dedup=on zroot/tmp

# zfs create zroot/usr

# zfs create zroot/usr/home

# cd /boot/zfs/zroot; ln -s /usr/home home

# zfs create -o compression=lzjb -o setuid=off -o dedup=on zroot/usr/ports

# zfs create zroot/var

# zfs create -o compression=lzjb -o exec=off -o setuid=off -o dedup=on zroot/var/log

# zfs create -o compression=gzip -o exec=off -o setuid=off -o dedup=on zroot/var/mail

# zfs create -o compression=lzjb -o exec=on -o setuid=off -o dedup=on zroot/var/tmp

Restoring cloned operating system to created volumes:

# zpool import -f storage

# zfs set mountpoint=/boot/zfs/clone storage

# zfs mount storage

# gunzip -c /boot/zfs/clone/rootvol.gz | zfs receive -vdF zroot

# zpool export storage

# zfs set mountpoint=/boot/zfs/zroot zroot

# cd /boot/zfs

# zpool export zroot && zpool import zroot

# cp /boot/zfs/zpool.cache /boot/zfs/zroot/boot/zfs/zpool.cache

# zfs umount -a

# zfs set mountpoint=legacy zroot

# zpool import -f storage

# zfs set mountpoint=/clone storage

# chmod -R g-rwx,o-rwx /boot

Chrooting the current new created root volume:

# swapon /dev/gpt/swapfs

# chroot /boot/zfs/zroot /bin/csh

Editing loader entries with the following contents:

# vi /boot/loader.conf

# vfs.root.mountfrom="zfs:zroot/ROOT/default"

# loader_delay="10000"

# crypto_load="YES"

# zfs_load=”YES”

# aesni_load="YES"

# geom_mirror_load="YES"

# geom_eli_load="YES"

# geom_eli_passphrase_prompt="YES"

# geli_ada0p3_keyfile0_load="YES"

# geli_ada0p3_keyfile0_type="ada0p3:geli_keyfile0"

# geli_ada0p3_keyfile0_name="/dev/gpt/bootfs/.PEOST.bin"

# geli_ada1p3_keyfile0_load="YES"

# geli_ada1p3_keyfile0_type="ada1p3:geli_keyfile0"

# geli_ada1p3_keyfile0_name="/dev/gpt/bootfs/.PEOST.bin"

# zpool_cache_load="YES"

# zpool_cache_type="/boot/zfs/zpool.cache"

# zpool_cache_name="/boot/zfs/zpool.cache"

Editing rc entries with the following contents:

# vi /etc/rc.conf

# zfs_enable=”YES”

# geli_swap_flags="-e AES-XTS -l 256 -s 4096 -d"

# label solution: vi /boot/loader.rc

# /boot/loader.4th

# start

# load_geli -n 0 /dev/gpt/rootfs0 /dev/gpt/bootfs/.PEOST.bin

# load_geli -n 0 /dev/gpt/rootfs1 /dev/gpt/bootfs/.PEOST.bin

Editing fstab entries with the following contents:

# vi /etc/fstab

# /dev/mirror/swapfs.eli none swap sw 0 0

Changing user password for the current new restored operating system:

# passwd root

# passwd (username)

Clearing command line interface history and exiting:

# history -cw

Or

# echo > /root/.history && history -c && exit

Unmounting filesystems after modifications:

# umount /dev/dax /dev/da0s1 /dev/ada0p3.eli /dev/ada1p3.eli

# swapoff /dev/gpt/swapfs

Removing created folders when volumes were unmounted successfully:

# rm -rf /mnt/bootvol

Closing the new current encrypted storage and rebooting:

# geli detach /dev/ada0p3.eli /dev/ada1p3.eli

# sync && reboot

UFS TO ZFS FILESYSTEM RESTORATION:

# mount -F nfs rsystem:/export/ufsdata /tank/legacyufs

# ls /tank/legacyufs

# ufsdump-a

# zfs create tank/newzfs

# cd /tank/newzfs

# ufsrestore rvf /tank/legacyufs/ufsdump-a

Page Term Reference