November 28, 2009 at 05:54

Encrypted file system in a file: a ready-made recipe

    Picamatic - upload your imagesThe habr already had many articles on how to transfer data safely, protecting the channel, or encrypting the data file. But it is often not very convenient to store data in a file (for example, it is not convenient to store an SVN repository in a file, or maildir with mail).

    Under the cut another solution that I find very convenient, maybe it will come in handy for someone else.

    Why am I not using an archive, but a file system? Because the file system can use all the programs that work with files. And the archive would have to be unzipped and an unencrypted copy created, which can then be accidentally forgotten to be deleted. In a word, an encrypted file system is a natural solution, and storing files with all their attributes in an encrypted archive is an artificial solution. On this, let me finish the lyric part and go on to the specifics.

    Create an encrypted file system file


    We load the geom_bde kernel module
    # kldload geom_bde
    or for automatic loading register in /boot/loader.conf
    geom_bde_load = "YES"
    Create the file itself (in my case - one megabyte):
    # dd bs = 1024 count = 1024 if = / dev / zero of = / mnt / nokia / virt-fs
    Create a device looking at this file:
    # mdconfig -a -t vnode -f / mnt / nokia / virt-fs -u 0
    Now we have the device / dev / md0.
    Initialize encryption:
    # gbde init / dev / md0
    Here you will be asked to enter the password twice.
    Attention, this is the easiest way. gbde allows for more sophisticated security methods with lock and key files. If you're interested, see man.
    Now the encrypted device must be connected:
    # gbde attach / dev / md0
    Enter the password again. If the password is not correct, then nothing will happen. If it’s correct, then you have the device /dev/md0.bde.
    Create a file system on it:
    # newfs -U -O2 /dev/md0.bde
    That's all, you can parse this whole construction if you no longer need it (see below for more details):
    # gbde detach / dev / md0; mdconfig -d -u 0

    Connect


    Here, I think, there will be no unfamiliar teams:
    # mdconfig -a -t vnode -f / mnt / nokia / virt-fs -u 0
# gbde attach / dev / md0
# mount /dev/md0.bde / mnt-private
    Now, an encrypted file system is mounted in / mnt-private, located in the / mnt / nokia / virt-fs file and any program can use it (by the way, symlinks drive!).

    Turn off


    It's still simpler:
    # umount / mnt-private
# gbde detach / dev / md0
# mdconfig -d -u 0
    Please note that if one of these commands does not work (say, the file system is busy and not unmounted), then the rest will not work either. This must be taken into account when writing a connect / disconnect script.

    That's all


    Now, if the enemy steals my "nokiya", then it will not be able to parse anything in the virt-fs file.

    All success and safety of private data!
    Tags:

    Also popular now: