Encrypted Disk Images on FreeBSD
Those who don’t need the whole disk encrypted, but only a certain number of files/directories, may want to learn about the possibility of creating encrypted disk image files, which would be decrypted directly into a memory disk and once any work has been done, the memory disk would be encrypted directly back to a disk image file. This reduces the risk of leaving traces of decrypted files on the regular disk space. Since the decrypted data needs to be kept in memory, the following method is suitable for data which amounts to let’s say about a few gigabyte - depending on the installed RAM, it may be much more or even less, though. As a proof of the concept, I did the following on the command line. However, it should not be too difficult to put everything into two shell scripts.
0. Preparation
For this demonstration, I encrypted a FreeBSD snapshot image which I happened to have downloaded for a different purpose and which by chance was still in place.
openssl enc -aes-256-ecb -salt -pbkdf2 \ -in FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.img \ -out FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.emg
Encrypting the 3GB image from disk to disk took just about 120 seconds. This is a Core-i7 machine equipped with 16 GB of RAM but with a quite slow HD. I expect much better performance with a SSD.
1. Create the memory disk
mdconfig -s 4g -u md0
2. Decrypt and spool the encrypted .emg -image directly to the md0 device
openssl enc -d -aes-256-ecb -pbkdf2 \ -in FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.emg \ | dd of=/dev/md0 bs=1m
Verify that the memory disk got the expected layout:
gpart show md0
=> 63 8388545 md0 MBR (4.0G)
63 1008 - free - (504K)
1071 102312 1 fat32lba [active] (50M)
103383 6188049 2 freebsd (3.0G)
6291432 2097176 - free - (1.0G)
=> 0 6188049 md0s2 BSD (3.0G)
0 41 - free - (21K)
41 6187904 1 freebsd-ufs (3.0G)
6187945 104 - free - (52K)
3. Mount the FreeBSD-UFS volume to /mnt
mount -o noatime /dev/md0s2a
ls -l /mnt
total 88
-rw-r--r-- 2 root wheel 927 Aug 8 04:46 .cshrc
-rw-r--r-- 2 root wheel 567 Aug 8 04:46 .profile
drwxrwxr-x 2 root operator 512 Aug 8 04:32 .snap
drwxr-xr-x 2 root wheel 1024 Aug 8 04:36 bin
drwxr-xr-x 11 root wheel 1024 Aug 8 04:46 boot
-r--r--r-- 1 root wheel 6174 Aug 8 04:45 COPYRIGHT
dr-xr-xr-x 2 root wheel 512 Aug 8 04:32 dev
drwxr-xr-x 26 root wheel 2048 Aug 8 04:46 etc
-rw-r--r-- 1 root wheel 0 Aug 8 04:46 firstboot
drwxr-xr-x 3 root wheel 512 Aug 8 04:46 home
drwxr-xr-x 5 root wheel 1536 Aug 8 04:37 lib
drwxr-xr-x 3 root wheel 512 Aug 8 04:35 libexec
drwxr-xr-x 2 root wheel 512 Aug 8 04:32 media
drwxr-xr-x 2 root wheel 512 Aug 8 04:32 mnt
drwxr-xr-x 2 root wheel 512 Aug 8 04:32 net
dr-xr-xr-x 2 root wheel 512 Aug 8 04:32 proc
drwxr-xr-x 2 root wheel 2560 Aug 8 04:36 rescue
drwxr-xr-x 2 root wheel 512 Aug 8 04:46 root
drwxr-xr-x 2 root wheel 2560 Aug 8 04:42 sbin
drwxrwxrwt 2 root wheel 512 Aug 8 04:32 tmp
drwxr-xr-x 14 root wheel 512 Aug 8 04:32 usr
drwxr-xr-x 24 root wheel 512 Aug 8 04:32 var
4. Just normally work with your data, then unmount the volume
cd; umount /mnt
5. Encrypt the memory disk and spool it into a temporary file
dd if=/dev/md0 bs=1m | openssl enc -aes-256-ecb -salt -pbkdf2 \ -out FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.tmp
enter aes-256-ecb encryption password:
Verifying - enter aes-256-ecb encryption password:
6. Verify the diagnostic output of the dd command and the size of the generated file
4096+0 records in
4096+0 records out
4294967296 bytes transferred in 91.110906 secs (47139991 bytes/sec)
Encrypting and spooling from memory to disk took just about 90 s.
7. Overwrite the old encrypted image by the new one
mv \ FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.tmp \ FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.emg
8. Detach (destroy) the memory disk
mdconfig -du md0
In cases of paranoia zero it out before: dd if=/dev/zero of=/dev/md0 bs=1m
Finally
Create two shell scripts decrypt2mem.sh (steps 1. to 3.) and mem2encrypt.sh (4. to 8.) and that’s it. Everything is on board with FreeBSD.
Copyright © Dr. Rolf Jansen - 2019-12-28 10:07:34
Discussion on Twitter: 1210924186954326017
|