Archive

Posts Tagged ‘encryption’

Encrypt ZFS drives on FreeNAS 0.7.2 (FreeBSD 7)

We recently had a break-in and found out about it when we were far from home. I worried about many things, among them the unencrypted files on my home NAS. Not that I have any state secrets buried, but the thought of having private e-mails, photos and so on in the hands of criminals just felt wrong. Fortunately the thieves left my computers, so I decided to do something about it.

I have an old NAS with FreeBSD 0.7.2 (no longer available) running FreeBSD 7. It does support encryption, albeit a bit manually. First I had to create a geli encryption key on the USB boot device:


umount /cf
mount -o rw /dev/da0a /cf
mkdir /cf/boot/keys
dd if=/dev/random of=/cf/boot/keys/nas.key bs=128k count=1

Next I destroyed the partition on the first disk to go and configured it for encryption with geli:


dd if=/dev/zero of=/dev/ad10 bs=512 count=10
geli init -b -K /cf/boot/keys/nas.key -s 4096 -l 256 /dev/ad10
geli attach -k /cf/boot/keys/nas.key /dev/ad10

Repeat with other drives (ad8 in this case) and create a mirror:


zpool create -m none nas-pool1 mirror /dev/ad10.eli /dev/ad8.eli

Next edit /cf/boot/loader.conf to enter the passphrases at boot time:


geli_ad8_keyfile0_load="YES"
geli_ad8_keyfile0_type="ad8:geli_keyfile0"
geli_ad8_keyfile0_name="/boot/keys/nas.key"
geli_ad10_keyfile0_load="YES"
geli_ad10_keyfile0_type="ad10:geli_keyfile0"
geli_ad10_keyfile0_name="/boot/keys/nas.key"

Reboot and make sure it works, then add additional drives and resilver. Peace of mind restored!

Advertisements
Categories: FreeNAS

Changed default options for cryptsetup

I use encrypted USB disks for my personal backups. When I tried to mount a disk on a CentOS 6 host recently it failed. What had happened? It turned out that I had used the default options for cryptsetup and the defaults changed between the versions used in CentOS 5 and 6. To fix the problem I simply had to specify the old default values:

cryptsetup create -c aes-cbc-plain -s 256 -h ripemd160 usbbackup /dev/sdd

Perhaps it is better to avoid defaults anyway.

Categories: Linux