[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Yet Another Encrypted Disk HOWTO: vnd->blockdev
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Yet Another Encrypted Disk HOWTO: vnd->blockdev
- From: Chris Kuethe <ckuethe_(_at_)_ualberta_(_dot_)_ca>
- Date: Mon, 7 Apr 2003 21:10:12 -0600 (MDT)
for those of you who don't like making filesystems on vnds inside
files, i have something resembling good news for you: you can use
vnd to encrypt your disk - or large parts thereof.
this is a really good way to nuke an otherwise useful disk. it's
no one's fault but your own if you kill your computer because you
tried this without understanding what's going on (and maybe testing
with vmware first).
short version: vnconfig -k <svnd> <blkdev>
[do stuff to svnd]
long version:
1) make sure you have some space on your drive for this:
here's what my disklabel looks like; for today's demo
i'll use wd0f:
desdemona:ttyp7# dmesg | grep wd0
wd0 at pciide0 channel 0 drive 0: <HITACHI_DK23CA-20>
wd0: 16-sector PIO, LBA, 19077MB, 16383 cyl, 16 head, 63 sec, 39070080 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
desdemona:ttyp7# fdisk wd0
Disk: wd0 geometry: 2432/255/63 [39070080 Sectors]
Offset: 0 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
------------------------------------------------------------------------
0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
*3: A6 0 1 1 - 2431 254 63 [ 63: 39070017 ] OpenBSD
desdemona:ttyp7# disklabel wd0
16 partitions:
# size offset fstype [fsize bsize cpg]
a: 524160 1048320 4.2BSD 4096 32768 16 # (Cyl. 1040 - 1559)
b: 1048257 63 swap # (Cyl. 0*- 1039)
c: 39070080 0 unused 0 0 # (Cyl. 0 - 38759)
d: 524160 1572480 4.2BSD 2048 16384 16 # (Cyl. 1560 - 2079)
e: 2097648 2096640 4.2BSD 4096 32768 16 # (Cyl. 2080 - 4160)
f: 2097648 4194288 4.2BSD 4096 32768 16 # (Cyl. 4161 - 6241)
g: 32778144 6291936 4.2BSD 4096 32768 16 # (Cyl. 6242 - 38759)
2) configure your vnode properly
desdemona:ttyp7# sudo vnconfig -k svnd1 /dev/wd0f
Encryption key: foo
3) disklabel your new encrypted "disk"
desdemona:ttyp7# sudo disklabel -E svnd1
disklabel: Can't get bios geometry: Device not configured
Initial label editor (enter '?' for help at any prompt)
> p
device: /dev/rsvnd1c
type: SCSI
disk: vnd device
label: fictitious
bytes/sector: 512
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 0
total sectors: 536870911
free sectors: 536870911
rpm: 3600
16 partitions:
# size offset fstype [fsize bsize cpg]
c: 536870911 0 unused 0 0 # (Cyl. 0 - 5368709*)
> e
Changing device parameters for /dev/rsvnd1c:
disk type: [SCSI]
label name: [fictitious]
sectors/track: [100] 1024
tracks/cylinder: [1] 16
sectors/cylinder: [100] 16384
number of cylinders: [0]
total sectors: [536870911] 2097648
rpm: [3600]
interleave: [1]
> p
device: /dev/rsvnd1c
type: SCSI
disk: vnd device
label: fictitious
bytes/sector: 512
sectors/track: 1024
tracks/cylinder: 16
sectors/cylinder: 16384
cylinders: 0
total sectors: 2097648
free sectors: 2097648
rpm: 3600
16 partitions:
# size offset fstype [fsize bsize cpg]
c: 536870911 0 unused 0 0 # (Cyl. 0 - 32767*)
> m c
FS type: [unused]
offset: [0]
size: [536870911] 2097648
> a a
offset: [0]
size: [2097648]
FS type: [4.2BSD]
> p
device: /dev/rsvnd1c
type: SCSI
disk: vnd device
label: fictitious
bytes/sector: 512
sectors/track: 1024
tracks/cylinder: 16
sectors/cylinder: 16384
cylinders: 0
total sectors: 2097648
free sectors: 0
rpm: 3600
16 partitions:
# size offset fstype [fsize bsize cpg]
a: 2097648 0 4.2BSD 1024 8192 16 # (Cyl. 0 - 128*)
c: 2097648 0 unused 0 0 # (Cyl. 0 - 128*)
> w
> q
No label changes.
4) format your shiny new disk
desdemona:ttyp7# sudo newfs svnd1a
Warning: inode blocks/cyl group (124) >= data blocks (31) in last
cylinder group. This implies 496 sector(s) cannot be allocated.
/dev/rsvnd1a: 2097152 sectors in 512 cylinders of 4 tracks, 1024 sectors
1024.0MB in 32 cyl groups (16 c/g, 32.00MB/g, 7680 i/g)
super-block backups (for fsck -b #) at:
32, 66592, 133152, 199712, 262176, 328736, 395296, 461856, 524320, 590880,
657440, 724000, 786464, 853024, 919584, 986144, 1048608, 1115168, 1181728,
1248288, 1310752, 1377312, 1443872, 1510432, 1572896, 1639456, 1706016,
1772576, 1835040, 1901600, 1968160, 2034720,
5) mount it
desdemona:ttyp7# sudo mount /dev/svnd1a /scratch
desdemona:ttyp7# df -h /scratch
Filesystem Size Used Avail Capacity Mounted on
/dev/svnd1a 993M 1.0K 944M 0% /scratch
there you have it. make sure you use the s(ynchronous) devices.
just for laughs, fill up your filesystem with a file full of zeros,
delete it, and copy in something like the source tree. after you
unmount and unconfigure the vnode, you can do 'dd if=/dev/wd0f | strings"
and not see anything meaningful.
caveats: this seems a little bit ... "unstable". i would not yet
recommend trying this stunt on a non-sacrificial machine. i've made
my machine lock up twice this way, probably because i had mounted
the filesystem async, was zeroing it, and dd|strings-ing it all at
the same time. probably a case of "doctor, it hurts when i shoot
myself in the foot!"
the disklabel does not seem to persist across vnode {,un}configure.
it's probably something i did wrong.
be vewwy vewwy quiet... heh heh errrr... very very careful. i hope
you noticed that i specified the start and end and number of sectors
in my encrypted disk. if you don't do that correctly you could very
well scribble junk all over your disk.
CK
--
Chris Kuethe, GCIA CISSP: Secure Systems Specialist - U of A CNS
office: 157 General Services Bldg. +1.780.492.8135
chris_(_dot_)_kuethe_(_at_)_[pyxis_(_dot_)_cns_(_dot_)_]ualberta_(_dot_)_ca
GDB has a 'break' feature; why doesn't it have 'fix' too?
Visit your host, monkey.org