Tagged: encryption

FreeBSD 10 with Full Disk Encryption on UFS Filesystem

Since its release on 1/20/2014, I have been trying to install FreeBSD 10 on my HP Pavilion dm3-1130us notebook with ZFS because I wanted to utilize its full disk encryption; however, every time I try, it failed during the boot process with the following messages: gptzfsboot: error 66 lba 48 gptzfsboot: error 66 lba 1 gptzfsboot: No ZFS pools located, can't boot

I googled but couldn't find any solutions even now. If anyone knows how to resolve this, I'm all ears.

Disclaimer:
The information in this site is the result of my researches in the Internet and of my experiences. It is solely used for my purpose and may not be suitable for others. I will NOT take any responsibility of end result after following these steps (although I will try to help if you send me your questions/problems).

So for now, I'm going to install it with full disk encryption on UFS instead. After many trial and errors, I found steps that worked on my system (thanks to BSD Now). I'll just list commands below just in case the site becomes unavailable in the future (it happens!).

Installation:

Follow the installation until the partition menu. Choose shell to manually configure the disk encryption before the OS is installed.

To view a list of disk devices, run: # sysctl kern.disks

With a blank disk, run: # gpart create -s gpt ada0

Or destroy existing one: # gpart destroy -F ada0

Create 3 partitions. The first is for the boot record, the second is an unencrypted /boot partition (from which the kernel is loaded) and the third is the large encrypted partition for the rest of the OS and files. # gpart add -t freebsd-boot -s 512k -a 4k ada0 # gpart add -t freebsd-ufs -l bootfs -s 1g -a 1m ada0 # gpart add -t freebsd-ufs -l encrypted -a 1m ada0

Install the bootcode: # gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

Encrypt the partition: # geli init -b -s 4096 ada0p3 Enter passphrase: Reenter passphrase:

Attach the device: # geli attach ada0p3 Enter passphrase: cryptosoft0: on motherboard GEOM_ELI: Device ada0p3.eli created GEOM_ELI: Encryption: AES-XTS 128 GEOM_ELI: Crypto: software

Format the partitions: # newfs -U /dev/ada0p2 # newfs -U /dev/ada0p3.eli

Mount the partitions: # mount /dev/ada0p3.eli /mnt # mkdir /mnt/unenc # mount /dev/ada0p2 /mnt/unenc # mkdir /mnt/unenc/boot # ln -s unenc/boot /mnt/boot

Create the fstab file: # vi /tmp/bsdinstall_etc/fstab ---------------------------------------------------- # Device Mountpoint FStype Options Dump Pass# /dev/ada0p2 /unenc ufs rw,noatime 1 1 /dev/ada0p3.eli / ufs rw,noatime 2 2

Automatically load the kernel modules that are required for booting from an encrypted volume: # vi /tmp/bsdinstall_boot/loader.conf ---------------------------------------------------- geom_eli_load="YES" vfs.root.mountfrom="ufs:ada0p3.eli"

Exit out and follow the rest of installation. After rebooting, it should prompt for passphrase.

However, on my system there was a bit of gotcha after the reboot: FreeBSD10_encryption

As you might see in above image, some kernel messages followed right after the passphrase prompt. I did not realize this for a while and made me think that the encryption failed (and it took me a while to figure out...). To confirm the encryption is working, press Enter. The passphrase prompt shows up again: GEOM_ELI: Wrong key for ada0p3. Tries left: 2. Enter passphrase for ada0p3:

That's all!
-gibb

Installing Arch Linux: LVM on top of an encrypted partition

IMPORTANT!!!
I now have updated version of Arch Linux with LVM on LUKS, Installing Arch Linux: LVM on top of an encrypted partition [[UPDATED]] with updated contents. Please visit that page!

I recently got a new notebook from my friend. I'm a slackware user but decided to give it a try on Arch Linux for this notebook. Ah... Arch Linux. I like its simplicity and user-centric philosophy. So I was reading up about Arch Linux and came across about encryption. Hmm... I could give it a try and make my notebook secure.

After reading, it looks like setting up LVM on top of the encrypted partition is the best method. So, I'll do that.

Disclaimer:
Information below is gathered mostly from the Arch Linux Wiki page and changed here and there for my liking. This information below is solely used for my purpose and may not be suitable for others.

Erasure of the Hard Disk:

Information (data) on a Hard Drive is written in chunk here and there. Re-partitioning or reformatting a disk does not really removes (erase) the data. It merely remove the system structure that used to identify where the original data was located. This leaves the actual data on a disk.

To securely erase a disk, you could either:

  • Fill with zeros
  • Fill with random bits
Both methods overwrite data on a disk but the first one fill with zero's leaving easily (to some extent) identify where the encrypted data ends. So, I follow the second method. # dd if=/dev/urandom of=/dev/<drive> bs=1M Just to be warned, this takes a long, long time.

Partitioning a Disk:

Even though Arch Linux version that I'm using (2012.08.04) comes with GRUB2 and this supports having the /boot partition in LVM, the /boot directory has to reside on its own. If the /boot directory is encrytpted (with or without LVM), the bootloader cannot read it; thus, boot failure will occur. # fdisk /dev/sda

Partition Layout:
/dev/sda1 -> /boot (bootable)
/dev/sda2 -> LVM (8e)

Configuring LUKS:

cryptsetup is used to interface with LUKS for formatting, mounting and unmounting encrypted partition.

First make sure the device mapper kernel module is installed: # modprobe dm-mod

Then format it as an encrypted LUKS partition: # cryptsetup -c aes-xts-plain -s 512 -yvh sha256 luksFormat /dev/sda2

  • -c: defines the cipher type
  • -s: defines the key size
  • -yvh sha256: prompts for the password twice and stores it in a 256-bit hash

It looks like AES cipher in XTS mode (XTS-AES) is most popular these days.

Unlocking/Mapping LUKS partition with the Device Mapper:

To access the encrypted volume, It needs to be unlocked. # cryptsetup luksOpen /dev/sda2 lvm

LVM:

Create a physical volume (encrypted volume) and a group volume. # lvm pvcreate /dev/mapper/lvm # lvm vgcreate lvmvg /dev/mapper/lvm

Create logical volumes on this new volume group. # lvm lvcreate -L 10G -n root lvmvg # lvm lvcreate -L 500M -n swap lvmvg # lvm lvcreate -l 100%FREE -n home lvmvg

Installation of Arch Linux:

Follow my blog entry, Installing Arch Linux on LVM, to install Arch Linux.

Configuration:

There are several configuration files that need to be modified.

/etc/rc.conf

Change USELVM="no" to USELVM="yes": # vi /etc/rc.conf -------------------- USELVM="yes"

/etc/mkinitcpio.conf

Configure /etc/mkinitcpio.conf for encryption and LVM by adding encrypt lvm2 (in this order) in the HOOKS section before filesystems so that the kernel will find LVM volumes at boot time. # vi /etc/mkinitcpio.conf -------------------- HOOKS="...encrypt lvm2 filesystems..."

/boot/grub/grub.cfg

Add cryptdevice=/dev/sda2:lvmvg between root=... and ro in the line starts with linux. This needs to be done for "Arch Linux" and "Arch Linux Fallback". # vi /boot/grub/grub.cfg -------------------- linux /boot/vmlinuz-linux root=/dev/mapper/lvmvg-root cryptdevice=/dev/sda2:lvmvg ro quiet

Reboot:

Now reboot the system.

That's all!
-gibb