Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 Jan 2006 00:55:56 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Norberto Meijome <freebsd@meijome.net>
Cc:        Freebsd-security@freebsd.org, freebsd-questions@freebsd.org
Subject:   Re: Encrypted volume - how?
Message-ID:  <20060122225556.GA44171@flame.pc>
In-Reply-To: <43D409B8.6070704@meijome.net>
References:  <43D409B8.6070704@meijome.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2006-01-23 09:39, Norberto Meijome <freebsd@meijome.net> wrote:
> Hi all,
> I'm looking for a way to recreate the functionality of PGP Disk (under
> Win32). Basically, create an encrypted file, which contains a
> filesystem which can then be mounted in any mount point.
>
> I know I can use GELI in FreeBSD 6 - as I understand, it performs the
> encryption at the partition level (the whole partition is encrypted).
> I'd like to be able to simply unmount my 'secure volume', and be able
> to back it up as a whole, or move it to another computer without
> having to repartition the destination. I think GELI wouldn't be good
> for this.

If the destination computer runs FreeBSD too, you shouldn't need to
repartition at all.

> I think I've read somewhere that you could use openssl to generate an
> encrypted volume and then mount it. I searched for a while and can't
> find any reference to this. Does anyone know how to do this with
> openssl, OR any other tool ?

A simple way to do this is to create a file, mount it, then encrypt it
with openssl after it's unmounted and remove the unencrypted file.

    # truncate -s 30m /tmp/file
    # mdconfig -a -t vnode -f /tmp/file -u 10
    # newfs_msdos /dev/md10
    # mount -t msdosfs /dev/md10

    ...

    # umount /dev/md10
    # openssl enc -bf < /tmp/file > /tmp/file.encrypted
    enter bf-cbc encryption password:********
    Verifying - enter bf-cbc encryption password:********
    # rm -f /tmp/file

This has the advantage that, if you use a file as a `block device' that
holds a single FAT filesystem, without any partitions at all, you can
then use it in other operating systems too, i.e. in Solaris you could
use openssl to decrypt the encrypted file, use lofiadm(1M) to create a
/dev/lofi/XXX device and mount it as a FAT filesystem too.

This is not as safe as using GELI or GBDE though.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060122225556.GA44171>