Hello there,
just started to explore encryption in FreeBSD and got some questions.
Trying to add encrypted partition on FreeBSD10.3 GELI/Blowfish-CBC. AES on / and /swap works fine, but I can't add an additional encrypted partition using Blowfish. Here is the way I did it:
Ok, google said I need to destroy data with random output:
Ok, I wanna check:
What's wrong? Thanks for the help.
just started to explore encryption in FreeBSD and got some questions.
Trying to add encrypted partition on FreeBSD10.3 GELI/Blowfish-CBC. AES on / and /swap works fine, but I can't add an additional encrypted partition using Blowfish. Here is the way I did it:
Code:
# mount -o exec /dev/da2p1 /mnt/storekey
# gpart create -s gpt da1
da1 created
# gpart add -t freebsd-ufs -l usrdata da1
da1p1 added
# newfs gpt/usrdata
gpt/usrdata: 102400.0MB (209715128 sectors) block size 32768, fragment size 4096
using 164 cylinder groups of 626.09MB, 20035 blks, 80256 inodes.
super-block backups (for fsck_ffs -b #) at:
192, 1282432, 2564672, 3846912, 5129152, 6411392, 7693632, 8975872, 10258112, 11540352, 12822592, 14104832,
15387072, 16669312, 17951552, 19233792, 20516032, 21798272, 23080512, 24362752, 25644992, 26927232,
28209472, 29491712, 30773952, 32056192, 33338432, 34620672, 35902912, 37185152, 38467392, 39749632,
41031872, 42314112, 43596352, 44878592, 46160832, 47443072, 48725312, 50007552, 51289792, 52572032,
53854272, 55136512, 56418752, 57700992, 58983232, 60265472, 61547712, 62829952, 64112192, 65394432,
66676672, 67958912, 69241152, 70523392, 71805632, 73087872, 74370112, 75652352, 76934592, 78216832,
79499072, 80781312, 82063552, 83345792, 84628032, 85910272, 87192512, 88474752, 89756992, 91039232,
92321472, 93603712, 94885952, 96168192, 97450432, 98732672, 100014912, 101297152, 102579392, 103861632,
105143872, 106426112, 107708352, 108990592, 110272832, 111555072, 112837312, 114119552, 115401792,
116684032, 117966272, 119248512, 120530752, 121812992, 123095232, 124377472, 125659712, 126941952,
128224192, 129506432, 130788672, 132070912, 133353152, 134635392, 135917632, 137199872, 138482112,
139764352, 141046592, 142328832, 143611072, 144893312, 146175552, 147457792, 148740032, 150022272,
151304512, 152586752, 153868992, 155151232, 156433472, 157715712, 158997952, 160280192, 161562432,
162844672, 164126912, 165409152, 166691392, 167973632, 169255872, 170538112, 171820352, 173102592,
174384832, 175667072, 176949312, 178231552, 179513792, 180796032, 182078272, 183360512, 184642752,
185924992, 187207232, 188489472, 189771712, 191053952, 192336192, 193618432, 194900672, 196182912,
197465152, 198747392, 200029632, 201311872, 202594112, 203876352, 205158592, 206440832, 207723072, 209005312
# dd if=/dev/random of=/mnt/storekey/da0p1b.k bs=64 count=1
1+0 records in
1+0 records out
64 bytes transferred in 0.000032 secs (1988411 bytes/sec)
# geli init -s 4096 -K /mnt/storekey/da0p1b.k -e Blowfish-CBC -a hmac/sha256 -l 448 gpt/usrdata
Enter new passphrase:
Reenter new passphrase:
Metadata backup can be found in /var/backups/gpt_usrdata.eli and
can be restored with the following command:
# geli restore /var/backups/gpt_usrdata.eli gpt/usrdata
# geli attach -k /mnt/storekey/da0p1b.k gpt/usrdata
Enter passphrase:
# newfs gpt/usrdata.eli
gpt/usrdata.eli: 91022.2MB (186413448 sectors) block size 32768, fragment size 4096
using 146 cylinder groups of 626.09MB, 20035 blks, 80256 inodes.
newfs: can't read old UFS1 superblock: read error from block device: Invalid argument
Code:
# dd if=/dev/random of=gpt/usrdata.eli bs=8m
dd: gpt/usrdata.eli: No such file or directory
Code:
# geli list
Geom name: da0p4.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: software
Version: 7
UsedKey: 0
Flags: BOOT
KeysAllocated: 50
KeysTotal: 50
Providers:
1. Name: da0p4.eli
Mediasize: 26843378688 (25G)
Sectorsize: 512
Mode: r1w1e1
Consumers:
1. Name: da0p4
Mediasize: 26843379200 (25G)
Sectorsize: 512
Stripesize: 0
Stripeoffset: 1073891328
Mode: r1w1e1
Geom name: gpt/swap.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: software
Version: 7
Flags: ONETIME, W-DETACH, W-OPEN
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: gpt/swap.eli
Mediasize: 4294967296 (4.0G)
Sectorsize: 4096
Mode: r1w1e0
Consumers:
1. Name: gpt/swap
Mediasize: 4294967296 (4.0G)
Sectorsize: 512
Stripesize: 0
Stripeoffset: 1073891328
Mode: r1w1e1
Geom name: gpt/usrdata.eli
State: ACTIVE
EncryptionAlgorithm: Blowfish-CBC
KeyLength: 448
AuthenticationAlgorithm: HMAC/SHA256
Crypto: software
Version: 7
UsedKey: 0
Flags: AUTH
KeysAllocated: 200
KeysTotal: 200
Providers:
1. Name: gpt/usrdata.eli
Mediasize: 95443685376 (89G)
Sectorsize: 4096
Mode: r0w0e0
Consumers:
1. Name: gpt/usrdata
Mediasize: 107374148096 (100G)
Sectorsize: 512
Stripesize: 0
Stripeoffset: 17408
Mode: r1w1e1
# ls /dev
acpi da0p2 geom.ctl mem sndstat ttyv9
apm da0p3 gpt midistat stderr ttyva
apmctl da0p4 gptid mpt0 stdin ttyvb
atkbd0 da0p4.eli hpet0 nfslock stdout ttyvc
audit da1 io null sysmouse ttyvd
bpf da1p1 iso9660 pass0 ttyv0 ttyve
bpf0 da2 kbd0 pass1 ttyv1 ttyvf
bpsm0 da2p1 kbd1 pass2 ttyv2 ufssuspend
cd0 devctl kbdmux0 pass3 ttyv3 urandom
console devctl2 klog pci ttyv4 usbctl
consolectl devstat kmem psm0 ttyv5 xpt0
ctty fd led pts ttyv6 zero
da0 fd0 log random ttyv7
da0p1 fido mdctl reroot ttyv8