# Encrypting Disk Partitions using ZFS without....



## harika1258 (Jun 30, 2018)

I have an appliance that it is running FreeBSD. if someone has physical access to appliance who can move the appliance 's hard drive to another system (computer with Windows os) to view and does everything. I want to protect OS  in this case.
My hardware has  two partitions (root partition in clear, secure partition encrypted).
I want the decryption key is stored in USB memory stick as a token, instead avoid entering passphrase in booting every time.
After booting user plug USB memory stick that contains the key and OS  read the key and unlock the secure partition.
Any help?


----------



## ShelLuser (Jun 30, 2018)

Sounds pretty trivial, a simple shell script should be able to handle this.

The USB mass storage device will have a specific name, /dev/da0 on my server. So make a script which checks for that device to be present, mounts it somewhere and then checks for a keyfile. After that you can use geli to attach the encrypted partition while pointing to said keyfile (see geli(8)) and once that has succeeded you can perform the actual mounting of the partition.

Now, this is but a theory on my part so far but it might even be possible to use an attach event (see /etc/devd.conf) so that the machine would automatically mount the encrypted partition as soon as the USB key is inserted.

But in its easiest form I would imagine a simple shellscript which people have to run after having inserted the USB stick.


----------



## ralphbsz (Jun 30, 2018)

Agree with ShelLuser: a simple shell script.  It would go along these lines:

Check whether the encrypted ZFS partition is present; if not give up with an error: "if [ \! -c /dev/xxx ] ..."
Check whether it has been decrypted already, if yes give up (all done).
Check whether the USB memory stick is present, similar logic.  If a memory stick is present, mount it.
For good measure: authenticate that it is the correct memory stick.  You could for example deposit a file with certain content on the USB stick that contains the decryption key, and look for that file.
Decrypt the big file system, unmount the memory stick, give a message.
And while doing it, check for things going wrong.
But there are lots of implementation difficulties.  When do you perform this script:  At boot time? The USB stick might not be present yet.  In a loop?  Then it might waste a lot of CPU (if you run it often, say every second), or be slow to react and require patience (if you run it every 15 minutes).  When the USB stick is inserted?  That requires interfacing with /etc/devd.conf, which is complicated.  One also has to think about when devd is started: what if the user inserts the USB stick too early in the boot process (when devd isn't up yet), but then after devd starts, the stick is already attached so no new attach event is generated?

What is the user interface?  How will the user know that they succeeded?  If this is done in the background by root, without the user logging in and running a command, then how does one give feedback to the user?  Where do error messages go?  One option would be to build a little hardware device, for example connected to a parallel or serial port, which could blink a green LED if the decrypting works, and blink a red LED if it doesn't (then the user would have to log in and retrieve the error message to diagnose).  Or get a small LCD display that's USB or serial or network connected, and give message on it.  Of if the system console is nearby, display messages on the console (which has problems of its own, the console is typically under control of getty, which is waiting for users to log in, and one can't just write messages to it.

But here is a much bigger question: What is the security gain of this?  This is a good system if the user carries the USB stick with them, separately from the server, and protects it well.  If they leave it plugged in at all times, then this doesn't gain any security at all, because an attacker that can physically grab the disks could also grab the USB stick.  And the USB memory stick is not inherently secure at all: If an attacker gets it for just a few minutes, they can copy they key file from it, and return it (perhaps without the owner even noticing), and then the system is vulnerable.

By the way, many of the same problems apply to using a USB-connected authentication token that is left permanently connected.  In the other thread, I posted a link to instructions for how to do this with a YubiKey, but again, it requires scripting support, and it can be left plugged in (at which point it just verifies that any human is present, not the correct human).  At least OTP tokens are internally secure, unlike a file on a USB stick.

Personally, I would go with the user having to enter a password (pass phrase, key, something they need to type).  Less work, and more secure.  The scripting required for it is probably easier than getting a production-ready version of the USB stick version to work.

Another solution is to buy a USB-connected fingerprint reader.  Then you know that the human who is at the server is actually the correct human, not an attacker that managed to get hold of the USB stick or make a copy of it.  But I have no idea how to interface to those things; and the question of how to store the geli key is not easy to think through.


----------



## harika1258 (Jul 1, 2018)

ShelLuser said:


> Sounds pretty trivial, a simple shell script should be able to handle this.
> 
> The USB mass storage device will have a specific name, /dev/da0 on my server. So make a script which checks for that device to be present, mounts it somewhere and then checks for a keyfile. After that you can use geli to attach the encrypted partition while pointing to said keyfile (see geli(8)) and once that has succeeded you can perform the actual mounting of the partition.
> 
> ...


Thank you so much....

I knew this walk through, I want to know all of instructions I need.  I was wondering, If you write to me step by step all of commands for implementing these:

1. Checking USB stick is present
2.Mount it and then check for keyfile and passfile
3.attaching encrypted partition

Thanks in advance....


----------



## harika1258 (Aug 27, 2018)

*Dear Ralphbsz and ShelLuser .....
Hi...*
I have a problem with installing freebsd manually by fully ZFS Encryption without passphrase on booting. I mean, I want to use key instead of a passphrase. Thanks in advance if you take a look at these commands and write me where do I have wrong instructions?
0.gpart create -s gpt ada0
1. gpart add -l swap0 -t freebsd-swap -a 1m -s 4G ada0
2.gpart add -t freebsd-boot -s 128k -l boot ada0
3.gpart add -t freebsd-zfs -l system ada0
4.mkdir -p /tmp/boot/key
5.dd if=/dev/random of=/tmp/boot/key/unbroken.key bs=1024 count=512
6.geli init -e aes -l 256 -s 4096 -P -K /tmp/boot/key/unbroken.key /dev/ada0p3
7.geli attach -p -k /tmp/boot/key/unbroken.key /dev/ada0p3
8.zpool create -m / -R /tmp/zfs zroot /dev/ada0p3.eli
9. zpool set bootfs=zroot zroot
10.zfs create -V 4G zroot/swap
11.zfs set org.freebsd:swap=on zroot/swap
12.cd /tmp/zfs
13.tar xvJf /usr/freebsd-dist/base.txz
14.tar xvJf /usr/freebsd-dist/kernel.txz
15.tar xvJf /usr/freebsd-dist/src.txz
16. tar xvJf /usr/freebsd-dist/ports.txz
17. gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0
18. cp -r /tmp/boot/key /tmp/zfs/boot/
19. vi /tmp/zfs/boot/loader.conf
19.1 : zfs_load="YES"
19.2 : aesni_load="YES"
19:3 : geom_mirror_load="YES"
19.4 : geom_eli_load="yes"
19.5 : geli_ada0p3_keyfile0_load="YES"
19.6 : geli_ada0p3_keyfile0_type="ada0p3:geli_keyfile0"
19.7 : geli_ada0p3_keyfile0_name="/boot/key/unbroken.key"
20.vfs.root.mountfrom="zfs:zroot"
21. vi /tmp/zfs/etc/rc.conf
22. zfs_enable="YES"
23. printf "# Device\t\tMountpoint\tFStype\tOptions\t\tDump\tPass#\n" > /etc/fstab
24. printf "/dev/mirror/swap.eli\t\tnone\tswap\tsw\t\t0\t0\n" >> /etc/fstab
25. shutdown -r now

but when the system is rebooting, I've got this error :
No ZFS pools located, Can't boot

Thank you again for your consideration.


----------



## ShelLuser (Aug 27, 2018)

harika1258 said:


> *Dear Ralphbsz and ShelLuser .....
> Hi...*


This isn't asking for help, this is plain out spamming the forums. Did you _really_ have to post the same message 4 times in different threads, including private conversations?

Here is the exact same message in another thread.

The reason why this is highly inefficient (and plain out spamming) should be obvious: you're wasting peoples time: people who see this thread might be tempted to respond, even though kpa has already given some solid arguments in that other thread. Ergo: people who would respond here could effectively be wasting their time by posting the same comments because they wouldn't be aware of those in the other thread(s).

This is not the way to ask for help, in fact it has the exact opposite effect on me: I'm definitely not motivated to bother anymore.


----------



## harika1258 (Aug 27, 2018)

ShelLuser said:


> This isn't asking for help, this is plain out spamming the forums. Did you _really_ have to post the same message 4 times in different threads, including private conversations?
> 
> Here is the exact same message in another thread.
> 
> ...



Please accept my apologies, I definitely do not like to bother anymore too, but I'm working on this problem for two months, and it didn't work and then annoyed me :-( thus, I posted my problem to everywhere to find out solutions. sorry about that.


----------



## harika1258 (Aug 28, 2018)

ShelLuser said:


> This isn't asking for help, this is plain out spamming the forums. Did you _really_ have to post the same message 4 times in different threads, including private conversations?
> 
> Here is the exact same message in another thread.
> 
> ...



Do you want to help me or not? I mean, where is my mistake? ( which number of instructions and your idea?)


----------



## kpa (Aug 28, 2018)

You need something like this, the idea is to have an unencrypted UFS partition as the initial /boot directory.

https://forums.freebsd.org/threads/...oot-with-encrypted-zfs-root-using-geli.51393/

You may have to adapt that HOWTO your needs so don't just follow it blindly. Ask if you need clarification on anything.

Btw, crossposting and treating the forums like a helpdesk doesn't make any friends here, just a little bit of friendly advice.


----------



## harika1258 (Aug 28, 2018)

kpa said:


> You need something like this, the idea is to have an unencrypted UFS partition as the initial /boot directory.
> 
> https://forums.freebsd.org/threads/...oot-with-encrypted-zfs-root-using-geli.51393/
> 
> You may have to adapt that HOWTO your needs so don't just follow it blindly. Ask if you need clarification on anything.



Hi...,
you answered in another post, my wrong was in 17, you're right when the partition is encrypted, we can't use a pool and allocated that! but my problem is how can I do this? I mean, use a pool when the partition is encrypted.
Anyway, special thanks for your replying, I'm going to take look your posted link.

Thanks again.


----------

