From owner-freebsd-security@FreeBSD.ORG Mon Jan 23 01:09:25 2006 Return-Path: X-Original-To: Freebsd-security@freebsd.org Delivered-To: Freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBF8616A420 for ; Mon, 23 Jan 2006 01:09:25 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from nic.ach.sch.gr (nic.sch.gr [194.63.238.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D76743D4C for ; Mon, 23 Jan 2006 01:09:23 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: (qmail 6848 invoked by uid 207); 23 Jan 2006 01:09:22 -0000 Received: from keramida@ceid.upatras.gr by nic by uid 201 with qmail-scanner-1.21 (sophie: 3.04/2.30/3.97. Clear:RC:1(81.186.70.52):. Processed in 0.133104 secs); 23 Jan 2006 01:09:22 -0000 Received: from dialup52.ach.sch.gr (HELO flame.pc) ([81.186.70.52]) (envelope-sender ) by nic.sch.gr (qmail-ldap-1.03) with SMTP for ; 23 Jan 2006 01:09:21 -0000 Received: by flame.pc (Postfix, from userid 1001) id 01D78118DF; Mon, 23 Jan 2006 00:55:56 +0200 (EET) Date: Mon, 23 Jan 2006 00:55:56 +0200 From: Giorgos Keramidas To: Norberto Meijome Message-ID: <20060122225556.GA44171@flame.pc> References: <43D409B8.6070704@meijome.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43D409B8.6070704@meijome.net> Cc: Freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Encrypted volume - how? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2006 01:09:25 -0000 On 2006-01-23 09:39, Norberto Meijome wrote: > Hi all, > I'm looking for a way to recreate the functionality of PGP Disk (under > Win32). Basically, create an encrypted file, which contains a > filesystem which can then be mounted in any mount point. > > I know I can use GELI in FreeBSD 6 - as I understand, it performs the > encryption at the partition level (the whole partition is encrypted). > I'd like to be able to simply unmount my 'secure volume', and be able > to back it up as a whole, or move it to another computer without > having to repartition the destination. I think GELI wouldn't be good > for this. If the destination computer runs FreeBSD too, you shouldn't need to repartition at all. > I think I've read somewhere that you could use openssl to generate an > encrypted volume and then mount it. I searched for a while and can't > find any reference to this. Does anyone know how to do this with > openssl, OR any other tool ? A simple way to do this is to create a file, mount it, then encrypt it with openssl after it's unmounted and remove the unencrypted file. # truncate -s 30m /tmp/file # mdconfig -a -t vnode -f /tmp/file -u 10 # newfs_msdos /dev/md10 # mount -t msdosfs /dev/md10 ... # umount /dev/md10 # openssl enc -bf < /tmp/file > /tmp/file.encrypted enter bf-cbc encryption password:******** Verifying - enter bf-cbc encryption password:******** # rm -f /tmp/file This has the advantage that, if you use a file as a `block device' that holds a single FAT filesystem, without any partitions at all, you can then use it in other operating systems too, i.e. in Solaris you could use openssl to decrypt the encrypted file, use lofiadm(1M) to create a /dev/lofi/XXX device and mount it as a FAT filesystem too. This is not as safe as using GELI or GBDE though.