Configuring OpenBSD svnd for Encrypted Volumes

I have covered just about everything possible for drive encryption in OpenBSD. My last post is on using the least recommended option for encrypted volumes. It is slower, unsupported, and unfortunately the best option for seamless operations :) The best way to think about svnd is if you have used truecrypt, it is very similar in that you create an image rather than actually encrypting the entire partition. Using some fancy linking and auto mounts you can use it for hosting your /home /tmp and others. The instructions are below, but unlike the last howto it assumes your system is already installed. This is because svnd does not require you to modify the system prior to /install and can be a good security implementation to use if you are already up and running:

1. Create a salt file for random data that we will later use to encrypt the volume. I post mine in /etc/saltmine, but you can place it anywhere.

2. We need to setup a volume to encrypt. I am going to assume you are using this to encrypt your /home directory, but the same instructions work for any folder you might be doing this with. This example assumes a 1GiB file. Enter the command: dd if=/dev/zero of=/home_crypt bs=1m count=1024

3. With the image file created we can tell svnd to encrypt the volume and associate it with a dev node. In the command you will see that we are specifying the number of rounds with the -K and our salt file with -S. You will need to note that we are using svnd1 and the -K -S values as they will be needed to mount. vnconfig  -v -c -K 1440 -S /etc/saltmine svnd1 /home_crypt

4. __Now we initialize a black MBR on the image: fdisk -iy svnd1

5. We need to create a filesystem so that we can mount and copy our preexisting data across. This will look very much like your install process when you began. For more information on howto use disklabel, reference the man pages. The key here is that we issue: disklabel -E svnd1

6. Now we create the filesystem: newfs /dev/rsvnd1a

7. In order for us to mount this as our home drive we must move our preexisting data. mv /home /home.orig

8. Create a home directory and mount your svnd image: mkdir /home && mount /dev/svnd1a /home There you have it. You can rsync your data back from your prior home folder with_: rsync -av /home.orig/* /home_

9. Now lets walk through unmounting the file. The difference between mounting a standard drive versus this is that we have two steps, unmounting and removing the association with the svnd file. umount /home && vnconfig -v -u /dev/svnd1

10. To ensure on reboot you are autoprompted for the password before logging in (and therefore keeping your /home intact) we need to edit /etc/rc.local What we do here is automate the vnconfig command from earlier

11. Likewise to mounting on startup, we want to unmount on shutdown. Edit the /etc/rc.shutdown file and ensure the umount commands and removal of the svnd association are present

12. On reboot you will be stopped until you enter your passphrase from earlier. Success!

—- Great tip from David @ www.davidkrause.com —-

I can’t seem to leave a comment on your article but fstab has support

for encrypted svnds.  Then you don’t have to pass so many options to

vnconfig.

For example:

/home/mnt/mydir /dev/svnd1c vnd rw,-K=20000,-S=/home/mnt/mydir.slt 0 0

/dev/svnd1a /home/mydir ffs rw,sync,noauto,nodev,nosuid 0 0

Then you can run:

mount /home/mnt/mydir

mount /home/mydir

I have some local changes to /etc/rc and /etc/rc.shutdown to make this

nicer though.  Without this the boot will hang until the key is entered,

but some people might want that.  Then the second part does the fsck and

mounts the final partition since it’s noauto.

David

— rc  Thu Jan 20 01:29:49 2011

+++ /etc/rc     Tue Jan 18 00:37:59 2011

@@ -495,7 +495,13 @@

fi

echo ‘.’

-mount -a

+echo “Press Control-C within the next 10 secounds to mount vnd.”

+sleep 10

+if [ $? -eq 0 ]; then

  •       mount -a -t novnd

+else

  •       mount -a

+fi

swapctl -A -t noblk

@@ -564,6 +570,17 @@

fi

done

fi

+

+# mount any vnd-backed filesystems (must be after dev_mkdb runs)

+for vnd in `vnconfig -l | fgrep covering | cut -d: -f1`; do

  •       for vndpart in `grep ^/dev/s$vnd /etc/fstab | awk ‘{ print $1 }’`; do

  •               echo “mounting vnd $vndpart”

  •               fsck -p $vndpart

  •               if [ $? -eq 0 ]; then

  •                       mount $vndpart

  •               fi

  •       done

+done

[ -f /etc/rc.securelevel ] && . /etc/rc.securelevel

if [ X”${securelevel}” != X”” ]; then

Updated: