-
Add the New Hard Drive
Install the new drive to the system as explained in Section 12.3. For the purposes of this example, a new hard
drive partition has been added as /dev/ad4s1c. The /dev/ad0s1* devices represent
existing standard FreeBSD partitions on the example system.
# ls /dev/ad*
/dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1
/dev/ad0s1 /dev/ad0s1c /dev/ad0s1f /dev/ad4s1c
/dev/ad0s1a /dev/ad0s1d /dev/ad4
-
Create a Directory to Hold gbde Lock Files
# mkdir /etc/gbde
The gbde lock file contains information that gbde requires to access encrypted partitions. Without access to
the lock file, gbde will not be able to decrypt the data
contained in the encrypted partition without significant manual intervention which is not
supported by the software. Each encrypted partition uses a separate lock file.
-
Initialize the gbde Partition
A gbde partition must be initialized before it can be used.
This initialization needs to be performed only once:
# gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c
gbde(8) will open your
editor, permitting you to set various configuration options in a template. For use with
UFS1 or UFS2, set the sector_size to 2048:
$FreeBSD: src/sbin/gbde/template.txt,v 1.1 2002/10/20 11:16:13 phk Exp $
#
# Sector size is the smallest unit of data which can be read or written.
# Making it too small decreases performance and decreases available space.
# Making it too large may prevent filesystems from working. 512 is the
# minimum and always safe. For UFS, use the fragment size
#
sector_size = 2048
[...]
gbde(8) will ask you
twice to type the passphrase that should be used to secure the data. The passphrase must
be the same both times. gbde's ability to protect your data
depends entirely on the quality of the passphrase that you choose.
The gbde init command creates a lock file for your gbde partition that in this example is stored as /etc/gbde/ad4s1c.
Caution: gbde lock files must be backed up together with the contents of any encrypted
partitions. While deleting a lock file alone cannot prevent a determined attacker from
decrypting a gbde partition, without the lock file, the
legitimate owner will be unable to access the data on the encrypted partition without a
significant amount of work that is totally unsupported by gbde(8) and its
designer.
-
Attach the Encrypted Partition to the Kernel
# gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c
You will be asked to provide the passphrase that you selected during the
initialization of the encrypted partition. The new encrypted device will show up in /dev as /dev/device_name.bde:
# ls /dev/ad*
/dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1
/dev/ad0s1 /dev/ad0s1c /dev/ad0s1f /dev/ad4s1c
/dev/ad0s1a /dev/ad0s1d /dev/ad4 /dev/ad4s1c.bde
-
Create a File System on the Encrypted Device
Once the encrypted device has been attached to the kernel, you can create a file
system on the device. To create a file system on the encrypted device, use newfs(8). Since it is
much faster to initialize a new UFS2 file system than it is to initialize the old UFS1
file system, using newfs(8) with the -O2 option is recommended.
Note: The -O2 option is the default with
FreeBSD 5.1-RELEASE and later.
# newfs -U -O2 /dev/ad4s1c.bde
Note: The newfs(8) command must
be performed on an attached gbde partition which is identified
by a *.bde extension to the
device name.
-
Mount the Encrypted Partition
Create a mount point for the encrypted file system.
# mkdir /private
Mount the encrypted file system.
# mount /dev/ad4s1c.bde /private
-
Verify That the Encrypted File System is Available
The encrypted file system should now be visible to df(1) and be available
for use.
% df -H
Filesystem Size Used Avail Capacity Mounted on
/dev/ad0s1a 1037M 72M 883M 8% /
/devfs 1.0K 1.0K 0B 100% /dev
/dev/ad0s1f 8.1G 55K 7.5G 0% /home
/dev/ad0s1e 1037M 1.1M 953M 0% /tmp
/dev/ad0s1d 6.1G 1.9G 3.7G 35% /usr
/dev/ad4s1c.bde 150G 4.1K 138G 0% /private
