Topic: CryptoGraphicFile (CGF), or how to keep sensitive data on your laptop

This Howto has been written by Hubert Feyrer. I am just pasting it here so we keep it in our archive as I find it _very_ interesting!

CryptoGraphicFile (CGF), or how to keep sensitive data on your laptop
OK, a friend of mine blogged the other day about setting up encrypted disk on FreeBSD, which reminded me of this thing I'm using on my laptop to carry sensitive things like SSH keys, my address database etc. which I've come up with I went to the USA for a few months last year.

After reading the CGD chapter of the NetBSD Guide I had a rough idea on how to do the whole thing on a disk partition, but I wanted to keep everything in a file so I would not have to re-partition my laptop. Ignoring the Guide's warning that cgd(4) on vnd(4) doesn't work (and proving it wrong, for me :-), I've used vnd(4) happily since for the task.

Below, I'll outline the tasks for
setting up my "CryptoGraphicFile" (CGF) using cgd-in-vnd,
what to do to use the data
what to do to stash things away again

1) Setting up my CryptoGraphicFile (CGF)

Decide on a place for the actual data and the amount of data you want to protect. "du -sm ~/.ssh ~/.gnupg" tells me that 10MB is plenty, and I'll use these values here.

# base=$HOME/S
# size=10

Also, the (decrypted) data will be mounted on /secure.

The first step of creating a $size MB big file and making it accessible as vnd(4) device is pretty easy:

# dd if=/dev/zero of=$base bs=1m count=$size
10+0 records in
10+0 records out
10485760 bytes transferred in 0.479 secs (21890939 bytes/sec)
# chmod go-rwx $base
# vnconfig vnd0 $base

Next we create a parameter file for cgd(4). We use AES encryption with 256 bit:

# cgdconfig -g -V disklabel -o $base.cgd aes-cbc 256

If this step fails with

cgdconfig: could not calibrate pkcs5_pbkdf2
cgdconfig: Failed to generate defaults for keygen

make sure that you have enough bits of entropy available for /dev/random. Just open up an xterm and run something like "ls -lR /" in it.

Next, the disk can be configured and newfs'd. This is the step where the password for the CGF is set, and you'd better not forget this:

# cgdconfig -V re-enter cgd0 /dev/vnd0a $base.cgd
/dev/vnd0a's passphrase:
re-enter device's passphrase:
# newfs /dev/cgd0a
/dev/cgd0a: 10.0MB (20480 sectors) block size 4096, fragment size 512
using 4 cylinder groups of 2.50MB, 640 blks, 1184 inodes.
super-block backups (for fsck_ffs -b #) at:
32,  5152, 10272, 15392,

Now the CGF can be mounted:

# mount /dev/cgd0a /secure
# df -h /secure
Filesystem    Size      Used     Avail Capacity  Mounted on
/dev/cgd0a    9.4M     512B      8.9M     0%    /secure
# ls /secure

Of course there's nothing on the newly created CGF. Let's undo things for the first-time configuration to finish our first step:

# umount /secure
# cgdconfig -u cgd0
# vnconfig -u vnd0

If you get a "Filesystem busy" in the first step, remember to "cd /". smile

We have created a filesystem inside a disk-file in $HOME/S in this step. The file is protected by a password which needs to be entered when used. Security of the data in that filesystem depends on this password alone, e.g. if this is on your laptop and the laptop's stolen, so make sure you use something non-trivial!

2) Using the encrypted data

After we have created a secure filesystem inside a file in $HOME/S now, we can configure it for using with the following steps:

# base=$HOME/S
# vnconfig vnd0 $base
# cgdconfig -V none cgd0 /dev/vnd0a $base.cgd
# fsck -p /dev/cgd0a
# mount /dev/cgd0a /secure

The cgdconfig-command above will ask for the password. Be sure to enter the same one that you gave it during the steps above!

After these steps, /secure is accessible again, and will be so until you shutdown the system or unconfigure it as shown below.

Before repeating how to unconfigure the CGF, the disk should probably be populated with a few precious files. To still make the files accessible in a transparent way (when /secure is mounted!), symlinks can be used. E.g the following will put an especially precious SSH key onto this secure file:

# mv ~feyrer/.ssh/important_key /secure
# ln -s /secure/important_key ~feyrer/.ssh

With appropriate SSH configuration, I will be able to use that key only when /secure is mounted. If it's not: bad luck. (Of course this whole example is somewhat artificial as you could just trust your key to a proper passphrase as well, but well smile.

Other examples I've used this with is are PGP keys, my private addres database, calendar and some other files I prefer to have near me when traveling.

3) What to do to stash things away again

To make things safe again, either shutdown the system, or run these steps:

# umount /secure
# cgdconfig -u cgd0
# vnconfig -u vnd0

Of course the steps to configure/unconfigure the CGF can be put into shell scripts (which I've done; I should probably make a package out of this...) for easy automation.

One such place where the above commands can be very handy is when suspending a laptop via APM: Place them into /etc/apm/suspend, and you won't have to worry about your files when your laptop is in suspended state. When you need your secured files again, a script with the commands noted under 2) can be run.

I'm using this setup on my laptop, and I'm quite happy with things that way. Maybe you will be, too!

<wintellect> NetBSD users are smart enough to accept that there's no 3D support tongue

Re: CryptoGraphicFile (CGF), or how to keep sensitive data on your laptop

On a related note, you might find this link interesting: Hard Disk Encryption with FreeBSD. There's also a video of the event..

Re: CryptoGraphicFile (CGF), or how to keep sensitive data on your laptop

Also wanted to say that you have to add cgd support to the netbsd kernel in order to get this working.

Thanks once again to Hubert smile

<wintellect> NetBSD users are smart enough to accept that there's no 3D support tongue