# Encrypted container file for "backup" - open with FreeBSD, Linux & others (GELI, LUKS)



## maxmoon (Aug 8, 2019)

For my "backups" I use an encrypted container file, which is password protected. First I used TrueCrypt and I could open it in Windows and Linux. But after years not using Windows anymore and after TrueCrypts website was down and the software wasn't maintained anymore, I switched to LUKS.

I am very unlucky, because with FreeBSD I can't open the LUKS containers and don't know any other way. I tried vm-bhyve but I am not able to boot any Linux distribution. :/

Is there a way to have a password encrypted container, which can be opened by Linux and FreeBSD and maybe other operation systems?

For me it is important to be able to open it, throw something inside and close it again or navigating through the container (e.g. previews of pictures) and open just 1 file. So a 7zip archive or similar systems wouldn't work for me.

Or are there better ways to manage private data as "backups"? They are not really backups, because after I got new private pictures or videos, I just throw them to the container and make a copy of the container. So even increment backups of pictures and videos wouldn't be good, because the destination will be always deleted after it was copied to the target.

How do you manage your private data (pictures, videos, etc.)?


----------



## NapoleonWils0n (Aug 8, 2019)

Hi Mate

I use LUKS on Linux to create an encrypted container which as you found wont work on Freebsd 
But you can create an Encrypted container on Freebsd using Geli

I have written a guide on how to create an encrypted container on Freebsd with Geli,
using dd to create file, zfs as the container filesystem and mdconfig to mount the container,
for added security i also use a keyfile as well as password and the keyfile can be stored on an external usb drive as well

I have also written a shell script called ossuary which mounts and unmounts the encrypted container

It prompts you for the container, the keyfile and the password and then mounts and unmounts the container for you

Heres the link to the how to guide freebsd geli encrypted container

And heres the ossuary shell script

I create a git repo inside the container and then push the git repo to a local ssh server,
then on Linux i have another version of the ossuary script which use Luks to create the encrypted container

So on Linux i just mount the encrypted Luks container and push or pull the changes in the git repo
That way i have encrypted containers on Freebsd and Linux kept in sync with Git

You could also mount both containers on Freebsd and Linux and use something like syncthing to sync the directories inside the encrypted containers

Heres the Linux version of the ossuary script which works a bit differently from the Freebsd version 
you will need to alter the Linux script variables for the lukscontainer and mountpoint which are have hardcoded paths

Hope that helps
I have been using these scripts for a couple of years now on Freebsd and Linux,
on Mac osx i just create an encrypted dmg file with a git repo inside it

Let me know if you get stuck or have any questions


----------



## Alexander Huemeyer (Aug 8, 2019)

Use Veracrypt, the successor of TrueCrypt. It works on Linux, FreeBSD and Windows.


----------



## NapoleonWils0n (Aug 8, 2019)

I used to use Truecrypt years ago

These days i use the tools that come with the os like Geli on Freebsd or Luks on Linux,
and just write my own scripts

The advantage of using the built in os encryption tools is you dont get into a Truecrypt type situation,
where the project is no longer maintained


----------



## maxmoon (Aug 9, 2019)

NapoleonWils0n said:


> ...
> I create a git repo inside the container and then push the git repo to a local ssh server,
> then on Linux i have another version of the ossuary script which use Luks to create the encrypted container
> 
> ...



I am a bit confused.

Am I getting it right, that you have a container for your Linux and another container for your FreeBSD system (on a usb stick or on your systems) and then sync them with git? But where exactly is the git server and is the server also encrypted? Wouldn't it be enough for a backup, just to use git (only if the operating systems and the server is encrypted, too).

How do you handle files, that don't need version control or files that not have to be synced? 

Every time I manage new pictures I made, I throw them in my container after sorting and don't keep a local copy/version of the pictures. I just do a copy of the container, having it on a usb stick.



Alexander Huemeyer said:


> Use Veracrypt, the successor of TrueCrypt. It works on Linux, FreeBSD and Windows.



Since I've read about the infiltration of an agency at TrueCrypt, I stopped using it. And I've read that VeraCrypt is developed in France. It might be much better if it's from Europe, but is VeraCrypt really save? 
Is VeraCrypt the only open source software, which provides encrypted containers using passwords and/or keyfiles, being usable for several operation systems?


----------



## NapoleonWils0n (Aug 9, 2019)

Hi Mate

I keep sensitive data in a git working copy inside encrypted containers
Freebsd - Geli
Linux - Luks
Mac - Encrypted dmg file

The git repo is hosted on a Mac on the local network which is accessed with ssh using ssh keys

For all other files i use syncthing to sync files between Freebsd, Linux and Mac
I also use rsync to back up my Freebsd and Linux home directories over ssh to the Mac

And of course zfs snapshots on an external usb drive


----------



## Alexander Huemeyer (Aug 10, 2019)

maxmoon said:


> Since I've read about the infiltration of an agency at TrueCrypt, I stopped using it. And I've read that VeraCrypt is developed in France. It might be much better if it's from Europe, but is VeraCrypt really save?
> Is VeraCrypt the only open source software, which provides encrypted containers using passwords and/or keyfiles, being usable for several operation systems?



Where did u hear that about TC? I think its BS. 
Both, VeraCrypt and TC are OS and both had been audited by external security companies.


----------



## obsigna (Aug 11, 2019)

How big are the containers?

How about working with encrypted disk images and decrypt it directly into a memory disk, and once done move the memory disk back to an encrypted disk image. As a proof of the concept, I did the following on the command line, however, this should not be too difficult putting this into a shell script.

For the preparation I encrypted a FreeBSD snapshot image which I happened to have downloaded today for a different purpose and which by chance was still on the disk.

*0. Preparation*
`openssl enc -aes-256-ecb -salt -pbkdf2 -in FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.img -out FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.emg`

Encrypting the 3GB image from disk to disk took just about 120 seconds. This is a Core-i7 machine equipped with a quite slow HD. I expect much better performance with a SSD.

*1. Create the memory disk*
`mdconfig -s 4g -u md0`

*2. Decrypt and spool the image directly to the md0 device*
`openssl enc -d -aes-256-ecb -pbkdf2 -in FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.emg | dd of=/dev/md0 bs=1m`

`gpart show md0`

```
=>     63  8388545  md0  MBR  (4.0G)
       63     1008       - free -  (504K)
     1071   102312    1  fat32lba  [active]  (50M)
   103383  6188049    2  freebsd  (3.0G)
  6291432  2097176       - free -  (1.0G)

=>      0  6188049  md0s2  BSD  (3.0G)
        0       41         - free -  (21K)
       41  6187904      1  freebsd-ufs  (3.0G)
  6187945      104         - free -  (52K)
```

*3. Mount the FreeBSD-UFS volume to /mnt*
`mount -o noatime /dev/md0s2a`
`ls -l /mnt`

```
total 88
-rw-r--r--   2 root  wheel      927 Aug  8 04:46 .cshrc
-rw-r--r--   2 root  wheel      567 Aug  8 04:46 .profile
drwxrwxr-x   2 root  operator   512 Aug  8 04:32 .snap
drwxr-xr-x   2 root  wheel     1024 Aug  8 04:36 bin
drwxr-xr-x  11 root  wheel     1024 Aug  8 04:46 boot
-r--r--r--   1 root  wheel     6174 Aug  8 04:45 COPYRIGHT
dr-xr-xr-x   2 root  wheel      512 Aug  8 04:32 dev
drwxr-xr-x  26 root  wheel     2048 Aug  8 04:46 etc
-rw-r--r--   1 root  wheel        0 Aug  8 04:46 firstboot
drwxr-xr-x   3 root  wheel      512 Aug  8 04:46 home
drwxr-xr-x   5 root  wheel     1536 Aug  8 04:37 lib
drwxr-xr-x   3 root  wheel      512 Aug  8 04:35 libexec
drwxr-xr-x   2 root  wheel      512 Aug  8 04:32 media
drwxr-xr-x   2 root  wheel      512 Aug  8 04:32 mnt
drwxr-xr-x   2 root  wheel      512 Aug  8 04:32 net
dr-xr-xr-x   2 root  wheel      512 Aug  8 04:32 proc
drwxr-xr-x   2 root  wheel     2560 Aug  8 04:36 rescue
drwxr-xr-x   2 root  wheel      512 Aug  8 04:46 root
drwxr-xr-x   2 root  wheel     2560 Aug  8 04:42 sbin
drwxrwxrwt   2 root  wheel      512 Aug  8 04:32 tmp
drwxr-xr-x  14 root  wheel      512 Aug  8 04:32 usr
drwxr-xr-x  24 root  wheel      512 Aug  8 04:32 var
```

*4. Just normally work with your data, then un-mount the volume*
`cd; umount /mnt`

*5. Encrypt the memory disk and spool it into a temporary file*
`dd if=/dev/md0 bs=1m | openssl enc -aes-256-ecb -salt -pbkdf2 -out FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.tmp`
This took just about 90 s

*6. Verify the diagnostic output of the dd command and the size of the generated file*

```
enter aes-256-ecb encryption password:
Verifying - enter aes-256-ecb encryption password:
4096+0 records in
4096+0 records out
4294967296 bytes transferred in 91.110906 secs (47139991 bytes/sec)
```

*7. Overwrite the old encrypted image by the new one*
`mv FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.tmp FreeBSD-13.0-CURRENT-arm-armv7-BEAGLEBONE-20190808-r350702.emg`

*8. Detach (destroy) the memory disk*
`mdconfig -du md0`
In cases of paranoia zero it out before: `dd if=/dev/zero of=/dev/md0 bs=1m`

Create two shell scripts decrypt2mem.sh and mem2encrypt.sh and that's it. Everything is on board with FreeBSD.


----------



## maxmoon (Aug 11, 2019)

Alexander Huemeyer said:


> Where did u hear that about TC? I think its BS.
> Both, VeraCrypt and TC are OS and both had been audited by external security companies.



The day TrueCrypts website went offline many years ago, I've read in a forum that they don't wanted to work on it anymore, because of authorities forcing them putting backdoors in it. It can be true, but it can be BS as well.



obsigna said:


> Create two shell scripts decrypt2mem.sh and mem2encrypt.sh and that's it. Everything is on board with FreeBSD.


That's a really interesting way to do backups and thanks for the excursion to use memory disks. This might be very useful in some cases.
But creating every time a new encrypted file I want to access a file or backup files is a little bit overpowered imho. It should be a bit more energy efficient and waiting minutes to access the backups sounds annoying.
Wouldn't it be inconsistent if I move my data temporarily to memory? What happens if my battery runs out before encrypting the mem to an img-file?
My current backup is about 50GB, creating a memdrive isn't possible anymore. 
Which file system would you recommend if the backups contain large files, like pictures and videos?
And what's about security? Isn't any thief able to decrypt my data, who gets the emg file and knows the instructions in this thread?

Thanks a lot for your help.


----------



## Alexander Huemeyer (Aug 11, 2019)

maxmoon said:


> The day TrueCrypts website went offline many years ago, I've read in a forum that they don't wanted to work on it anymore, because of authorities forcing them putting backdoors in it. It can be true, but it can be BS as well.



Perhaps its true, but if, authorities werent able to infiltrate TC.


----------



## Yampress (Aug 11, 2019)

make an archive file from the data directory and encrypt this file with  pgp


----------

