FreeBSD Edition Encryption
Pars Enterprise FreeBSD edition full platform encryption method including Boot system and password on the top with physical token.
|
PART I - UFS METHOD Pars Enterprise FreeBSD edition full encryption with UFS filesystem |
PART II - ZFS METHOD Pars Enterprise FreeBSD full encryption with ZFS filesystem |
|
Default values for the current existing customized operating system: ### loading FreeBSD operating system from live environment # sysctl kern.disks or gpart show ada0/da0 Creating temporary folders to clone the current operating system: # mkdir /mnt/backup Mounting backup volume before cloning: # kldload ext2fs # mount -t ext2fs /dev/dax /mnt/backup Cloning the current customized operating system: # dump -0af /mnt/backup/image.dump /dev/adax Full formatting storage before encryption: # gpart destroy -F ada0 # dd if=/dev/urandom of=/dev/ada0 bs=1m count=1 Performing the partitioning scenario after full formatting: # gpart create -s gpt ada0 # gpart add -t freebsd-swap -l swapfs -s 32g -a 1m ada0 # gpart add -t freebsd-ufs -l rootfs -s 100g -a 1m ada0 # gpart add -t freebsd-ufs -l homefs -a 1m ada0 # gpart destroy -F da0(token) # dd if=/dev/urandom of=/dev/da0 bs=64k count=1 # gpart create -s gpt da0 # gpart add -t freebsd-boot -s 512k -a 4k da0 # gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da0 # gpart set -a active -i 1 da0 # gpart add -t freebsd-ufs -l bootfs -s 1g -a 1m da0 # newfs -O2 -U -j -m6 /dev/gpt/bootfs # gpart set -a bootme -i 2 da0 Generating physical token and adding it to the current encrypted storage: # mkdir /mnt/bootvol # mount /dev/da0s2 /mnt/bootvol # dd if=/dev/urandom of=/mnt/bootvol/PEOST.bin bs=4096 count=1 # mv /mnt/bootvol/PEOST.bin /mnt/bootvol/.PEOST.bin # chmod 000 /mnt/bootvol/.PEOST.bin Starting platform encryption with the following parameters: # kldload geom_eli # geli init -a HMAC/SHA256 -b -B /mnt/bootvol/ada0p2.eli -e AES-XTS -K /mnt/bootvol/.PEOST.bin -l 256 -s 4096 /dev/ada0p2 # dd if=/dev/urandom of=/dev/ada0p2.eli bs=1m count=1 # geli attach -k /mnt/bootvol/.PEOST.bin /dev/ada0p2 # newfs -O2 -U -j -m6 /dev/ada0p2.eli Restoring cloned operating system to created volumes: # mkdir /mnt/rootvol # mount /dev/ada0p2.eli /mnt/rootvol # cd /mnt/rootvol # restore -rf /mnt/backup/image.dump Starting platform encryption with the following parameters: # geli init -a HMAC/SHA256 -b -B /mnt/bootvol/ada0p3.eli -e AES-XTS -K /mnt/bootvol/.PEOST.bin -l 256 -s 4096 /dev/ada0p3 # geli attach -k /mnt/bootvol/.PEOST.bin /dev/ada0p3 # dd if=/dev/urandom of=/dev/ada0p3.eli bs=1m count=1 # newfs -O2 -U -j -m6 /dev/ada0p3.eli Moving the current home folder contents after encryption: # mkdir /mnt/homevol # mount /dev/ada0p5.eli /mnt/homevol # mv /mnt/rootvol/home/* /mnt/homevol or ln -fs /mnt/rootvol/home/(username) /mnt/homevol/(username) Moving the current boot folder contents after encryption: # mkdir /mnt/bootvol # mv /mnt/rootvol/boot/* /mnt/bootvol or ln -fs /mnt/rootvol/boot /mnt/bootvol # chmod -R g-rwx,o-rwx /mnt/rootvol/boot Chrooting the current new created root volume: # swapon /dev/ada0p1 # mount -t procfs proc /mnt/rootvol/proc # mount -t devfs devfs /mnt/rootvol/dev # chroot /mnt/rootvol /bin/csh Editing loader entries with the following contents: # vi /boot/loader.conf # vfs.root.mountfrom="ufs:/dev/ada0p2.eli" # loader_delay="10000" # aesni_load="YES" # geom_eli_load="YES" # geom_eli_passphrase_prompt="YES" # geli_ada0p2_keyfile0_load="YES" # geli_ada0p2_keyfile0_type="ada0p2:geli_keyfile0" # geli_ada0p2_keyfile0_name="/boot/.PEOST.bin" # geli_ada0p3_keyfile0_load="YES" # geli_ada0p3_keyfile0_type="ada0p3:geli_keyfile0" # geli_ada0p3_keyfile0_name="/boot/.PEOST.bin" Editing rc entries with the following contents: # vi /etc/rc.conf # geli_swap_flags="-e AES-XTS -l 256 -s 4096 -d" # label solution: vi /boot/loader.rc # /boot/loader.4th # start # load_geli -n 0 /dev/gpt/rootfs /dev/gpt/bootfs/.PEOST.bin # load_geli -n 0 /dev/gpt/homefs /dev/gpt/bootfs/.PEOST.bin Editing fstab entries with the following contents: # vi /etc/fstab # /dev/ada0p4.eli / ufs rw,noatime 1 1 # /dev/da0s2 /boot ufs rw,noatime 2 2 # /dev/ada0p5.eli /home ufs rw,noatime 2 2 # /dev/ada0p2.eli none swap sw 0 0 Changing user password for the current new restored operating system: # passwd root # passwd (username) Clearing command line interface history and exiting: # history -cw Or # echo > /root/.history && history -c && exit Unmounting filesystems after modifications: # umount /dev/dax /dev/da0s2 /dev/ada0p3 /dev/ada0p4.eli /dev/ada0p5.eli # swapoff /dev/ada0p1 Removing created folders when volumes were unmounted successfully: # rm -rf /mnt/backup /mnt/bootvol /mnt/rootvol /mnt/homevol Closing the new current encrypted storage and rebooting: # geli detach /dev/ada0p4.eli /dev/ada0p5.eli # sync && reboot
BSD Documentation License Copyright © 2016, Pars Enterprise [info@parsenterprise.com] All rights reserved.
Redistribution and use in source (ParsEnterprise.PDF) and ‘compiled’ forms (SGML, HTML, PDF, PostScript, RTF and so forth) with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code (ParsEnterprise.PDF) must retain the above copyright notice, this list of conditions and the following disclaimer as the first lines of this file unmodified.
2. Redistributions in compiled form (converted to PDF, HTML, RTF and other formats) must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products derived from this documentation without specific prior written permission.
THIS DOCUMENTATION IS PROVIDED BY MAHDI MONTAZERI AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MAHDI MONTAZERI BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
Default values for the current existing customized operating system: ### loading FreeBSD operating system from live environment # sysctl kern.disks or gpart show ada0/da0 Loading required kernel modules: # kldload opensolaris # kldload zfs Full formatting storage before encryption: # gpart destroy -F dax # dd if=/dev/urandom of=/dev/dax bs=64k Cloning the current customized operating system: # zpool create storage /dev/dax # zfs set mountpoint=/clone storage # zfs snapshot -r zroot@clone # zfs send -Rv zroot@clone | gzip > /storage/rootvol.gz Full formatting storage before encryption: # gpart destroy -F ada0 # dd if=/dev/urandom of=/dev/ada0 bs=64k # gpart destroy -F ada1 # dd if=/dev/urandom of=/dev/ada1 bs=64k Performing the partitioning scenario after full formatting: # gpart create -s gpt ada0 # gpart add -t freebsd-swap0 -l swapfs0 -s 32g -a 1m ada0 # gpart add -t freebsd-zfs -l rootfs0 -a 1m ada0 # gpart create -s gpt ada1 # gpart add -t freebsd-boot -s 512k -a 4k ada1 # gpart add -t freebsd-swap1 -l swapfs1 -s 32g -a 1m ada1 # gpart add -t freebsd-zfs -l rootfs1 -a 1m ada1 # gpart destroy -F da0(key) # dd if=/dev/urandom of=/dev/da0 bs=64k # gpart create -s gpt da0 # gpart add -t freebsd-boot -s 512k -a 4k da0 # gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 da0 # gpart set -a active -i 1 da0 # gpart add -t freebsd-ufs -l bootfs -s 1g -a 1m da0 # newfs -O2 -U -j -m6 /dev/gpt/bootfs Generating physical token and adding it to the current encrypted storage: # mkdir /mnt/bootvol # mount /dev/da0s1 /mnt/bootvol # dd if=/dev/urandom of=/mnt/bootvol/PEOST.bin bs=4096 count=1 # mv /mnt/bootvol/PEOST.bin /mnt/bootvol/.PEOST.bin # chmod 000 /mnt/bootvol/.PEOST.bin Loading required kernel modules: # kldload crypto # kldload geom_mirror # kldload geom_eli Creating swap space filesystem including encryption: # gmirror label -b load -F swapfs /dev/gpt/swapfs0 /dev/gpt/swapfs1 Starting platform encryption with the following parameters: # geli init -a HMAC/SHA256 -b -B /mnt/bootvol/rootfs0.eli -e AES-XTS -K /mnt/bootvol/.PEOST.bin -l 256 -s 4096 /dev/gpt/rootfs0 # dd if=/dev/urandom of=/dev/gpt/rootfs0.eli bs=1m # geli attach -k /mnt/bootvol/.PEOST.bin /dev/gpt/rootfs0 # geli init -a HMAC/SHA256 -b -B /mnt/bootvol/rootfs1.eli -e AES-XTS -K /mnt/bootvol/.PEOST.bin -l 256 -s 4096 /dev/gpt/rootfs1 # dd if=/dev/urandom of=/dev/gpt/rootfs1.eli bs=1m # geli attach -k /mnt/bootvol/.PEOST.bin /dev/gpt/rootfs1 Managing logical volumes before restoration: # zpool create zroot mirror /dev/gpt/rootfs0.eli /dev/gpt/rootfs1.eli # zfs create -o canmount=noauto -o mountpoint=none zroot/ROOT # zfs create -o mountpoint=/ zroot/ROOT/default # zfs set checksum=sha256 zroot # zfs set dedup=on zroot # zfs set compression=gzip zroot # zfs create -o compression=on -o exec=on -o setuid=off -o dedup=on zroot/tmp # zfs create zroot/usr # zfs create zroot/usr/home # cd /boot/zfs/zroot; ln -s /usr/home home # zfs create -o compression=lzjb -o setuid=off -o dedup=on zroot/usr/ports # zfs create zroot/var # zfs create -o compression=lzjb -o exec=off -o setuid=off -o dedup=on zroot/var/log # zfs create -o compression=gzip -o exec=off -o setuid=off -o dedup=on zroot/var/mail # zfs create -o compression=lzjb -o exec=on -o setuid=off -o dedup=on zroot/var/tmp Restoring cloned operating system to created volumes: # zpool import -f storage # zfs set mountpoint=/boot/zfs/clone storage # zfs mount storage # gunzip -c /boot/zfs/clone/rootvol.gz | zfs receive -vdF zroot # zpool export storage # zfs set mountpoint=/boot/zfs/zroot zroot # cd /boot/zfs # zpool export zroot && zpool import zroot # cp /boot/zfs/zpool.cache /boot/zfs/zroot/boot/zfs/zpool.cache # zfs umount -a # zfs set mountpoint=legacy zroot # zpool import -f storage # zfs set mountpoint=/clone storage # chmod -R g-rwx,o-rwx /boot Chrooting the current new created root volume: # swapon /dev/gpt/swapfs # chroot /boot/zfs/zroot /bin/csh Editing loader entries with the following contents: # vi /boot/loader.conf # vfs.root.mountfrom="zfs:zroot/ROOT/default" # loader_delay="10000" # crypto_load="YES" # zfs_load=”YES” # aesni_load="YES" # geom_mirror_load="YES" # geom_eli_load="YES" # geom_eli_passphrase_prompt="YES" # geli_ada0p3_keyfile0_load="YES" # geli_ada0p3_keyfile0_type="ada0p3:geli_keyfile0" # geli_ada0p3_keyfile0_name="/dev/gpt/bootfs/.PEOST.bin" # geli_ada1p3_keyfile0_load="YES" # geli_ada1p3_keyfile0_type="ada1p3:geli_keyfile0" # geli_ada1p3_keyfile0_name="/dev/gpt/bootfs/.PEOST.bin" # zpool_cache_load="YES" # zpool_cache_type="/boot/zfs/zpool.cache" # zpool_cache_name="/boot/zfs/zpool.cache" Editing rc entries with the following contents: # vi /etc/rc.conf # zfs_enable=”YES” # geli_swap_flags="-e AES-XTS -l 256 -s 4096 -d" # label solution: vi /boot/loader.rc # /boot/loader.4th # start # load_geli -n 0 /dev/gpt/rootfs0 /dev/gpt/bootfs/.PEOST.bin # load_geli -n 0 /dev/gpt/rootfs1 /dev/gpt/bootfs/.PEOST.bin Editing fstab entries with the following contents: # vi /etc/fstab # /dev/mirror/swapfs.eli none swap sw 0 0 Changing user password for the current new restored operating system: # passwd root # passwd (username) Clearing command line interface history and exiting: # history -cw Or # echo > /root/.history && history -c && exit Unmounting filesystems after modifications: # umount /dev/dax /dev/da0s1 /dev/ada0p3.eli /dev/ada1p3.eli # swapoff /dev/gpt/swapfs Removing created folders when volumes were unmounted successfully: # rm -rf /mnt/bootvol Closing the new current encrypted storage and rebooting: # geli detach /dev/ada0p3.eli /dev/ada1p3.eli # sync && reboot UFS TO ZFS FILESYSTEM RESTORATION: # mount -F nfs rsystem:/export/ufsdata /tank/legacyufs # ls /tank/legacyufs # ufsdump-a # zfs create tank/newzfs # cd /tank/newzfs # ufsrestore rvf /tank/legacyufs/ufsdump-a |