Installing FreeBSD 9.1 with Root Partition Encryption

“If you have paranoia, this does not mean that you are not being followed” © Folk Wisdom
Having read the post How I implemented the first rule of doing business in Russia , I had this question:
What if the company develops a software product (SaaS), and during development it is necessary to use local develop and stage servers? What will happen if the "attacker" gets physical access to the disks and how not to give him all the source codes of the projects? And if we roll out the code to the battle one through scripts, Chef or Puppet, then we give back all access to the battle areas.

The answer is obvious: encryption of all that is valuable. But as we all know, there are tons of encryption options. Starting from the encryption of individual files and the creation of cryptocontainers (for example TrueCrypt) and ending with full disk encryption.

You can say "so you yourself break the rule and keep your local servers in the office?". And I agree, but with a reservation. For a comfortable development, the closer the source, the better, and given the speed of the Internet for legal entities in the regions, which can be obtained for a reasonable price, keeping the develop and stage server somewhere far away will lead to excruciating pain. Here I am talking about a scheme in which there are no source codes on the development machines. All code lies on the develop server’s network share. And in general, ping out and ping in a local gigabit are slightly different things.

So, let's start encryption.

Given: server on FreeBSD.
Task: encrypt all partitions.

Encryption schemes

What encryption options are there?
  • File system encryption (e.g. ZFS)
  • Third party encryption
  • Native FreeBSD engines for any gbde and geli file system.

We clarify the conditions that our scheme must satisfy:
  1. Transparent encryption of the entire disk
  2. Lack of external media for storing keys or loading the kernel
  3. Minimum Iron Requirements

We can say that the second point reduces the cryptographic strength of the system, because we voluntarily refuse encryption keys (we leave only the password) and refuse the flash drive, which can be quickly pulled out of the server if necessary.

That's right, but if we use virtualization, then in the general case, we need a flash drive for each virtual machine, which is a little sad.
ZFS requires quite a lot of resources for its work, which contradicts the third point of the conditions.

So we choose the most universal and native option for the system, namely encryption of partitions using geli. You can read more about geli in the handbook.

Note:
При использовании этой схемы необходимо убедиться, что есть консольный доступ к серверу. В случае удалённых серверов обязательно должен быть KVM или его аналог. Это связано с тем, что при загрузке система будет спрашивать пароль для зашифрованного раздела!

System preparation and installation

First, we need an operating system image (I used the FreeBSD 9.1 x64 image). We boot and start the installation.

Starting with FreeBSD 9, the familiar sysinstall has been replaced by bsdinstall. This fact makes installation with disk encryption a little easier, mainly because the loaded environment is easier to use than on previous versions of the system, for example, the required kernel modules are loaded automatically.

  • In the "Welcome" menu, select "Install"
  • Choosing a keyboard layout
  • Specify the host name
  • We select the required system components. (I add the source code, due to the fact that anyway, you need to rebuild the kernel anyway)
  • Next, in the "Partitioning" menu, select "Shell"

Disk partitioning

The disk we use to install the 'da0' system. We will use GPT markup.

Kernel modules are loaded automatically at the moment when we need them, so we can skip loading the geli module and immediately proceed to partition the disk and create a crypto partition. Here is what we have to do:
  1. Create GPT Partitioning Scheme
  2. Create boot block
  3. Create and format boot partition
  4. Create a swap partition (if one is needed), and yes, it will also be encrypted
  5. Create and initialize the main encrypted partition
  6. Format encrypted partition
  7. Mount file systems in / mnt
  8. Continue installation

1. Creating a boot block

First, delete all partitions and create a GPT partitioning scheme:
# gpart destroy -F da0
# gpart create -s gpt da0

2. Create a boot block

We create a partition with the type "freebsd-boot" and a size of 64Kb and install the bootloader.

Important:
в настоящее время раздел не должен быть больше 512K. Это связано с ограничениями кода загрузчика.

# gpart add -t freebsd-boot -s 64k –l gpboot da0
# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da0

3. Create and format the boot partition

1 gigabyte boot partition with boot label
# gpart add -t freebsd-ufs -s 1g -l boot da0

Create a file system on the partition. The –U flag enables soft-update on the partition. Use soft-update or not, you decide. There are arguments for and against.
# newfs -U gpt/boot

4. Creating a swap partition

Create a 4 gigabyte partition
# gpart add -t freebsd-swap -l swap –s 4g da0

5. Creating and initializing an encrypted volume

For the remaining space, create the main section
# gpart add -t freebsd-ufs -l enc da0

Note: это не ufs том, это geli том

Инициализируем geli том
# geli init -b gpt/enc

Geli will ask for a password to access the partition
Connect the encrypted partition
# geli attach gpt/enc

6. Format encrypted volume

# newfs -U gpt/enc.eli

Pay attention, here we indicate '.eli'!
7. Mount file systems in / mnt

Mount an encrypted volume
# mount /dev/gpt/enc.eli /mnt

Since we have a separate boot partition, we need to have the / boot directory written to our boot partition during installation
# mkdir /mnt/boot2
# mount /dev/gpt/boot /mnt/boot2
# mkdir /mnt/boot2/boot
# cd /mnt
# ln -s boot2/boot boot

We make a copy of geli service information for a possible recovery. While we put them in a specially created folder, and after installing the system, it is recommended to transfer these files to external media.
# mkdir gelibackups
# cp /var/backups/* gelibackups

8. Continue the installation

# exit

After that, the system installation process will start. Time to have a cup of coffee, tea or other drinks.

After installation, we will be asked to enter the root password, configure the network, create users.

When you see “Manual Configuration” on the screen, where you will be prompted to open “Shell” to make changes to the newly installed system. We agree. This action will provide us with the chroot console of our installed system.

Configuration files

The files we need to edit are fstab (5), loader.conf (5) and rc.conf (5).
loader.conf

# vi /boot/loader.conf

Add the following lines:
geom_eli_load="YES"
vfs.root.mountfrom="ufs:/dev/da0p4.eli"

Note:
если вы не создавали swap раздел, то вероятно шифрованный том будет ad0p3.eli. Так же вы должны заключить путь к GPT разделу во второй строке в кавычки, если этого не сделать, файл не будет корректно обработан системой.

fstab

# vi /etc/fstab

Add the following lines:
/dev/gpt/enc.eli  /        ufs    rw,noatime    1    1
/dev/gpt/boot     /boot2   ufs    rw,noatime    1    1
/dev/gpt/swap.eli none     swap   sw            0    0

rc.conf

# vi /etc/rc.conf

To encrypt the swap partition, add the following line from the handbook:
geli_swap_flags="-e blowfish -l 128 -s 4096 -d"


This completes the setup.
In the console, type:
# exit

and select "Reboot".

The goal is achieved. We received a completely encrypted disk information from which you can’t get without knowing the password.
Now, when the system boots, the console will prompt you to enter a password for the encrypted partitions. In our case, this is the root partition.

The following resources were used when writing this article:
FreeBSD Handbook
Installing FreeBSD 9.0 with encrypted root fs (all ufs)
Disk Setup On FreeBSD