configuration
My installation testserver has the following hardware configuration:
ar0: IDE-RAID controller (RAID 5)
..with four SATA harddisks ad4, ad6, ad8 and ad10
ad14: SATA harddisk containing the system installation
da0: USB Stick - will contain the boot files and geli decryption key
As the operating system I am using the FreeBSD 6.1-RELEASE version. We will encrypt the ar0 RAID and use it as our main working system. In order to set it up we need a standard system which I installed on the single harddisk ad14. It won't be needed afterwards. As the final encrypted operating system will not be able to boot up by itself we need a memory-stick da0 containing the files which are needed for the booting process. The stick also contains the geli key which will be necessary for decrypting the filesystem.
The goal is to have an encrypted RAID-5 system which can only be booted up using a memory stick with a key and a password.
installation
First of all we clear all previous data we have on the ar0 harddisk.
# dd if=/dev/random of=/dev/ar0
WARNING: This will delete your entire data on the harddisk! Depending on the size of the disk this may take a while.
As we would like to use a key-file for the geli encryption we need to create this file first before initializing the geli container:
# mkdir /boot/keys
# dd if=/dev/random of=/boot/keys/ar0.key bs=128k count=1
The dd command creates a new file (ar0.key) of 128Kb filled with random data (/dev/random).
In a next step we initialize the geli container on the ar0 harddisk:
# geli init -b -K /boot/keys/ar0.key -s 4096 -l 256 /dev/ar0
The -b parameter specifies that a password is needed on bootup. The second parameter -K specifies the key which is used for encryption - the one we have just created. The -s 4096 increases the sector size which really boosts up encrypting/decrypting performance. The -l 256 parameter tells geli to use an AES 256 encryption - which is the strongest currently supported. And finally /dev/ar0 is our RAID device. Type in your secret password and the initialization is completed.
Next, the device will be attached which creates the decrypted device with which we will work.
# geli attach -K /boot/keys/ar0.key /dev/ar0
We specify the location to the encryption key for attaching. Enter the password you chose during initialization and a new device /dev/ar0.eli will be created for you.
Ok, as we now have the decrypted device its time to partition it:
# bsdlabel -w /dev/ar0.eli
# bsdlabel -e /dev/ar0.eli
The first commands creates a standard label and the second one is used to specify the single partitions to create. It will bring up an editor. The first column contains a single character. This is the partitions label. "c" is reserved for the complete disk and may not be changed. "b" is usually the swap partition. The second column specifies the size of the partition (in sectors). Note: We told geli during initialization to use 4096 bytes per sector. The offset needs to be calculated manually and is simply the sum of the sizes of the predecessing partitions. In the fstype column you need to write 4.2BSD for all partitions except the swap partition (and the c partition of course!). The next two columns can be filled with a 0 in each one and on the last one we do not write anything. This will be completed by FreeBSD. Here is my configuration:
# /dev/ar0.eli
8 partitions:
# size offset fstype [fsize bsize bps/cpg]
a: 512M 0 4.2BSD 0 0
b: 2048M * swap
c: 19544356 0 unused 0 0
d: 4096M * 4.2BSD 0 0
e: 2048M * 4.2BSD 0 0
f: * * 4.2BSD 0 0
Note the * at the partition f: this will cause FreeBSD to use the rest of the available disk space for the final partition. The * at the offset column tells FreeBSD to calculate the offsets by itself based on the predecessing partitions.
Now that we have the partitions it's time to create the filesystems:
# newfs /dev/ar0.elia
# newfs /dev/ar0.elid
# newfs /dev/ar0.elie
# newfs /dev/ar0.elif
installing operating system
The target harddisk is now partitioned and the filesystems have been
created. Let's put the operating system on it. First we create a new
directory:
# mkdir /fixed
This
creates a new directory called "fixed" on the root directory. This
directory will contain the target filesystem structure. Next, we mount
the target root partition on fixed:
# mount /dev/ar0.elia /fixed
Then we create the following directories to create the desired structure:
# mkdir /fixed/var
# mkdir /fixed/tmp
# mkdir /fixed/usr
Now mount the previously created partitions to the new directories:
# mount /dev/ar0.elid /fixed/var
# mount /dev/ar0.elie /fixed/tmp
# mount /dev/ar0.elif /fixed/usr
It's
time to copy the operating system files to the target filesystem. To do
so we need to set an environment variable which is used by the install
script to determine where to extract the OS files. Switch to the
bash-shell and export the variable and switch back:
# /bin/sh
# export DESTDIR=/fixed/
# /bin/csh
Ok we are ready to install the files. Mount the CD-ROM drive (yes insert your FreeBSD CD 1 now) and install!
# mount /cdrom
# cd /cdrom/6.1-RELEASE/base
# ./install.sh
FreeBSD 6.1 does not install automatically the kernel. So let's do it manually:
# cd /cdrom/6.1-RELEASE/kernels
# ./install.sh GENERIC
This will install the generic kernel on the encrypted geli device. If you have a multi-processor system you can use the SMP instead of the GENERIC kernel in the command above.
kbdmux and geli are enemies!
In the current version (FreeBSD 6.1-RELEASE) there is a major problem with the kbdmux keyboard multiplexer driver and geli. Either the keyboard or geli worked, but never both at the same time. Tomas Snackerstrom pointed out that problem in one of his precious comments. This brought me to the solution of removing the kbdmux driver from the generic kernel by compiling a custom one.
In the following few steps we will compile a custom kernel. If you have not installed the kernel sources do this now. You can find detailed explanations here.
First, we create a copy of the GENERIC kernel configuration file and alter it:
# cd /usr/src/sys/i386/conf
# mkdir /root/kernels
# cp GENERIC /root/kernels/PROPORTION
# ln -s /root/kernels/PROPORTION
This creates a new kernel configuration file called PROPORTION in the roots home directory. Of course you can name the file whatever you like. Now alter the PROPORTION kernel configuration file with your favorite editor:
# vi PROPORTION
Put your kernels name in the "ident" line, so you will recognize your custom kernel during boot-up. And most important: remove the line "device kbdmux". Close and save the file.
Now build and install the kernel:
# cd /usr/src
# make buildkernel KERNCONF=PROPORTION
# make installkernel KERNCONF=PROPORTION
This will take a while - especially builing the kernel. Now, as the kernel is built and installed we will copy it to the geli encrypted harddisk:
# cp -Rpv /boot/kernel /fixed/boot
configuring removable device
It's time to take care of the removable device which plays an important role in the whole installation. It contains the files which are essential for booting.
First of all we create a new slice on the device:
# fdisk -BI /dev/da0
WARNING: This will remove all data on the device. Make sure no important data is stored on it.
Next, we create the partition on the slice:
# bsdlabel -Brw /dev/da0s1
# bsdlabel -e /dev/da0s1
Again this will bring up an editor in where you can specify the desired partitions. This time we only create one single partition:
# size offset fstype [fsize bsize bps/cpg]
a: 528600 0 4.2BSD 0 0
c: 528600 0 unused 0 0
Create a new filesystem on the previously created partition and mount the filesystem so we can start putting the required files on it.
# newfs /dev/da0s1
# mount /dev/da0s1 /mnt
A couple of minutes ago we installed the base distribution on the encrypted target harddisk. As we are not able to boot from that disk we need to put the boot files on the removable (non-encrypted) medium:
# cp -Rpv /fixed/boot /mnt
Done. Now let's speed up the booting process by zipping the kernel and the two needed modules. Switch to the kernel's directory and zip it:
# cd /mnt/boot/kernel
# gzip kernel geom_eli.ko acpi.ko
To make sure we will be asked for the password at boottime we need to add the needed module to the /boot/loader.conf file:
# echo geom_eli_load="YES" >> /mnt/boot/loader.conf
Now we also need to specify where to load the encryption key from during startup. First copy the keyfile to the USB stick:
# mkdir /mnt/boot/keys
# cp /boot/keys/ar0.key /mnt/boot/keys/
Second, specify the corresponding geli commands to load the key from the stick. This is also defined in the /boot/loader.conf file. Open it and add the following lines to it:
geli_ar0_keyfile0_load="YES"
geli_ar0_keyfile0_type="ar0:geli_keyfile0"
geli_ar0_keyfile0_name="/boot/keys/ar0.key"
We are almost there. The final step is to tell the kernel which filesystem to load. By creating the directory etc and putting the file fstab into it we can achieve this:
# mkdir /mnt/etc
# vi fstab
This opens up the editor and we can start specifying the filesystems. This needs to be the same structure we created on our target harddisk (see the similarities?):
# Device Mountpoint FStype Options Dump Pass#
/dev/ar0.elib none swap sw 0 0
/dev/ar0.elia / ufs rw 1 1
/dev/ar0.elie /tmp ufs rw 2 2
/dev/ar0.elif /usr ufs rw 2 2
/dev/ar0.elid /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
I additionally added the cdrom. It is not mandatory but quite handy. Finally copy the fstab file to the target harddisk:
# cp /mnt/etc/fstab /fixed/etc/
Congratulations. Let's see if it works!
testing
Now it's time to bring Frankenstein alive! Remove the installation CD and shutdown the computer. Remove the operating systems harddisk (ad14), plug in the removable device and switch it on. If everything runs smooth you will be promted for the password during boot and afterwards the system will be booted.
Here are some problems I encountered afterwards:
Problem: The bios tells you that the operating system cannot be found.
Solution: Make sure your bios is capable of booting from removable devices such as USB sticks and check the bios boot-order settings.
Problem: I get multiple password prompts during bootup.
Solution: I played around with the geli init command before and initialized some other disks. You can kill those initializations by typing:
# geli kill /dev/adX
Where /dev/adX is the concerning device. This will kill the encryption keys! WARNING: Do not try this on the correct disk you've just created! (Well, unless the FBI is knocking on your door and you have a good reason doing so).
Niciun comentariu:
Trimiteți un comentariu