|
[20060823]
|
CryptoGraphicFile (CGF), or how to keep sensitive data on your laptop (Updated)
OK, a friend of mine
blogged the other day
about setting up encrypted disk on FreeBSD, which reminded me of this
thing I'm using on my laptop to carry sensitive things like SSH keys,
my address database etc. which I've come up with I went to the USA for
a few months last year.
After reading
the CGD chapter of the NetBSD Guide
I had a rough idea on how to do the whole thing on a disk partition, but I
wanted to keep everything in a file so I would not have to re-partition my
laptop.
Ignoring the Guide's warning that cgd(4) on vnd(4) doesn't work
(and proving it wrong, for me :-), I've used vnd(4) happily since for
the task.
Below, I'll outline the tasks for
- setting up my "CryptoGraphicFile" (CGF) using cgd-in-vnd,
- what to do to use the data
- what to do to stash things away again
1) Setting up my CryptoGraphicFile (CGF)
- Decide on a place for the actual data and the amount of
data you want to protect. "du -sm ~/.ssh ~/.gnupg"
tells me that 10MB is plenty, and I'll use these values here.
# base=$HOME/S
# size=10
Also, the (decrypted) data will be mounted on /secure.
- The first step of creating a $size MB big file
and making it accessible as vnd(4) device is pretty easy:
# dd if=/dev/zero of=$base bs=1m count=$size
10+0 records in
10+0 records out
10485760 bytes transferred in 0.479 secs (21890939 bytes/sec)
# chmod go-rwx $base
# vnconfig vnd0 $base
#
- Next we create a parameter file for cgd(4). We use AES encryption
with 256 bit:
# cgdconfig -g -V disklabel -o $base.cgd aes-cbc 256
If this step fails with
cgdconfig: could not calibrate pkcs5_pbkdf2
cgdconfig: Failed to generate defaults for keygen
make sure that you have enough bits of entropy
available for /dev/random. Just open up an xterm and run something like
"ls -lR /" in it.
- Next, the disk can be configured and newfs'd. This is the step
where the password for the CGF is set, and you'd better not forget
this:
# cgdconfig -V re-enter cgd0 /dev/vnd0a $base.cgd
/dev/vnd0a's passphrase:
re-enter device's passphrase:
# newfs /dev/cgd0a
/dev/cgd0a: 10.0MB (20480 sectors) block size 4096, fragment size 512
using 4 cylinder groups of 2.50MB, 640 blks, 1184 inodes.
super-block backups (for fsck_ffs -b #) at:
32, 5152, 10272, 15392,
- Now the CGF can be mounted:
# mount /dev/cgd0a /secure
# df -h /secure
Filesystem Size Used Avail Capacity Mounted on
/dev/cgd0a 9.4M 512B 8.9M 0% /secure
# ls /secure
#
- Of course there's nothing on the newly created CGF. Let's
undo things for the first-time configuration to finish our
first step:
# umount /secure
# cgdconfig -u cgd0
# vnconfig -u vnd0
If you get a "Filesystem busy" in the first step,
remember to "cd /". :)
We have created a filesystem inside a disk-file in $HOME/S in this
step. The file is protected by a password which needs to be entered
when used. Security of the data in that filesystem depends on this
password alone, e.g. if this is on your laptop and the laptop's
stolen, so make sure you use something non-trivial!
2) Using the encrypted data
After we have created a secure filesystem inside a file in $HOME/S now,
we can configure it for using with the following steps:
# base=$HOME/S
# vnconfig vnd0 $base
# cgdconfig -V none cgd0 /dev/vnd0a $base.cgd
# fsck -p /dev/cgd0a
# mount /dev/cgd0a /secure
#
The cgdconfig-command above will ask for the password. Be sure
to enter the same one that you gave it during the steps above!
After these steps, /secure is accessible again, and will be so
until you shutdown the system or unconfigure it as shown below.
Before repeating how to unconfigure the CGF, the disk should
probably be populated with a few precious files. To still make
the files accessible in a transparent way (when /secure is
mounted!), symlinks can be used. E.g the following will put
an especially precious SSH key onto this secure file:
# mv ~feyrer/.ssh/important_key /secure
# ln -s /secure/important_key ~feyrer/.ssh
With appropriate SSH configuration, I will be able
to use that key only when /secure is mounted. If
it's not: bad luck. (Of course this whole example
is somewhat artificial as you could just trust your
key to a proper passphrase as well, but well :).
Other examples I've used this with is are PGP keys,
my private addres database, calendar and some other
files I prefer to have near me when traveling.
3) What to do to stash things away again
To make things safe again, either shutdown the system, or run these steps:
# umount /secure
# cgdconfig -u cgd0
# vnconfig -u vnd0
Of course the steps to configure/unconfigure the CGF
can be put into shell scripts (which I've done; I should
probably make a package out of this...) for easy automation.
One such place where the above commands can be very handy
is when suspending a laptop via APM: Place them into
/etc/apm/suspend, and you won't have to worry
about your files when your laptop is in suspended state.
When you need your secured files again, a script with the
commands noted under 2) can be run.
I'm using this setup on my laptop, and I'm quite happy with
things that way. Maybe you will be, too!
Update:
Curt Sampson wrote me about a nice way to lock the machine
in case someon un-suspends it: simply run xlock *on suspend*.
When X is started in a way that it won't get back to the shell
upon ctrl-alt-backspace, this won't allow access to any file
in case the machine gets stolen.
One other precaution that could be taken is to use encrypted
swap, to prevent sensitive data getting into swap, and a
mallicious hacker getting it from there after taking
the disk out of the machine. A good hint, from someone (name
forgotten) on #NetBSD.
[Tags: cgd, cgf, Docs, Security]
|
