BLog
ImprintImpressum
PrivacyDatenschutz
DisclaimerHaftung
Downloads 

Encrypted Disk Images on FreeBSD

Those who don’t need the whole disk encrypted, but only a certain number of files/directories, may want to learn about the possibility of creating encrypted disk image files, which would be decrypted directly into a memory disk and once any work has been done, the memory disk would be encrypted directly back to a disk image file. This reduces the risk of leaving traces of decrypted files on the regular disk space. Since the decrypted data needs to be kept in memory, the following method is suitable for data which amounts to let’s say about a few gigabyte - depending on the installed RAM, it may be much more or even less, though. As a proof of the concept, I did the following on the command line. However, it should not be too difficult to put everything into two shell scripts.

0. Preparation

For this demonstration, I encrypted a FreeBSD snapshot image which I happened to have downloaded for a different purpose and which by chance was still in place.

openssl enc -aes-256-ecb -salt -pbkdf2 \
  -in FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.img \
 -out FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.emg

Encrypting the 3GB image from disk to disk took just about 120 seconds. This is a Core-i7 machine equipped with 16 GB of RAM but with a quite slow HD. I expect much better performance with a SSD.

1. Create the memory disk

mdconfig -s 4g -u md0

2. Decrypt and spool the encrypted .emg-image directly to the md0 device

openssl enc -d -aes-256-ecb -pbkdf2 \
  -in FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.emg \
 | dd of=/dev/md0 bs=1m

Verify that the memory disk got the expected layout:

gpart show md0 

=>     63  8388545  md0  MBR  (4.0G)
       63     1008       - free -  (504K)
     1071   102312    1  fat32lba  [active]  (50M)
   103383  6188049    2  freebsd  (3.0G)
  6291432  2097176       - free -  (1.0G)

=>      0  6188049  md0s2  BSD  (3.0G)
        0       41         - free -  (21K)
       41  6187904      1  freebsd-ufs  (3.0G)
  6187945      104         - free -  (52K)

3. Mount the FreeBSD-UFS volume to /mnt

mount -o noatime /dev/md0s2a

ls -l /mnt 

total 88
-rw-r--r--   2 root  wheel      927 Aug  8 04:46 .cshrc
-rw-r--r--   2 root  wheel      567 Aug  8 04:46 .profile
drwxrwxr-x   2 root  operator   512 Aug  8 04:32 .snap
drwxr-xr-x   2 root  wheel     1024 Aug  8 04:36 bin
drwxr-xr-x  11 root  wheel     1024 Aug  8 04:46 boot
-r--r--r--   1 root  wheel     6174 Aug  8 04:45 COPYRIGHT
dr-xr-xr-x   2 root  wheel      512 Aug  8 04:32 dev
drwxr-xr-x  26 root  wheel     2048 Aug  8 04:46 etc
-rw-r--r--   1 root  wheel        0 Aug  8 04:46 firstboot
drwxr-xr-x   3 root  wheel      512 Aug  8 04:46 home
drwxr-xr-x   5 root  wheel     1536 Aug  8 04:37 lib
drwxr-xr-x   3 root  wheel      512 Aug  8 04:35 libexec
drwxr-xr-x   2 root  wheel      512 Aug  8 04:32 media
drwxr-xr-x   2 root  wheel      512 Aug  8 04:32 mnt
drwxr-xr-x   2 root  wheel      512 Aug  8 04:32 net
dr-xr-xr-x   2 root  wheel      512 Aug  8 04:32 proc
drwxr-xr-x   2 root  wheel     2560 Aug  8 04:36 rescue
drwxr-xr-x   2 root  wheel      512 Aug  8 04:46 root
drwxr-xr-x   2 root  wheel     2560 Aug  8 04:42 sbin
drwxrwxrwt   2 root  wheel      512 Aug  8 04:32 tmp
drwxr-xr-x  14 root  wheel      512 Aug  8 04:32 usr
drwxr-xr-x  24 root  wheel      512 Aug  8 04:32 var

4. Just normally work with your data, then unmount the volume

cd; umount /mnt

5. Encrypt the memory disk and spool it into a temporary file

dd if=/dev/md0 bs=1m | openssl enc -aes-256-ecb -salt -pbkdf2 \
 -out FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.tmp 

enter aes-256-ecb encryption password:
Verifying - enter aes-256-ecb encryption password:

6. Verify the diagnostic output of the dd command and the size of the generated file 

4096+0 records in
4096+0 records out
4294967296 bytes transferred in 91.110906 secs (47139991 bytes/sec)

Encrypting and spooling from memory to disk took just about 90 s.

7. Overwrite the old encrypted image by the new one

mv \
 FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.tmp \
 FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.emg

8. Detach (destroy) the memory disk

mdconfig -du md0

In cases of paranoia zero it out before: dd if=/dev/zero of=/dev/md0 bs=1m

Finally

Create two shell scripts decrypt2mem.sh (steps 1. to 3.) and mem2encrypt.sh (4. to 8.) and that’s it. Everything is on board with FreeBSD.

Copyright © Dr. Rolf Jansen - 2019-12-28 10:07:34

Discussion on Twitter: 1210924186954326017