Geekly Articles each Day
📜 ⬆️ ⬇️

Encrypted file system in file: recipe ready

Picamatic - upload your images On Habré already had many articles on how to safely transfer data, protecting the channel, or encrypting the data file. But often storing data in a file is not very convenient (for example, it is not convenient to store a SVN repository in the file, or maildir with mail).

Under the cut is another solution that I find very convenient, maybe it will be useful to someone else.

Why am I not using the archive, but the file system? Because the file system can use all the programs that work with files. And the archive would have to be unzipped and create an unencrypted copy, which you can then accidentally forget to delete. In short, an encrypted file system is a natural solution, and saving files with all their attributes in an encrypted archive is an artificial solution. On this let me finish the lyric part and go to the specifics.
')

Create a file with an encrypted file system


We load the kernel module geom_bde
  # kldload geom_bde
or for automatic loading we register in / boot / loader.conf
  geom_bde_load = "YES"
Create the file itself (in my case, one megabyte):
  # dd bs = 1024 count = 1024 if = / dev / zero of = / mnt / nokia / virt-fs
Create a device that looks into this file:
  # mdconfig -a -t vnode -f / mnt / nokia / virt-fs -u 0
Now we have a device / dev / md0.
Initialize encryption:
  # gbde init / dev / md0
Here you will be asked to enter the password twice.
Attention, this is the easiest way. gbde allows more sophisticated security with lock and key files. If you're interested, see man.
Now the encrypted device must be connected:
  # gbde attach / dev / md0
Enter the password again. If the password is not correct, nothing will happen. If the correct one is, the device /dev/md0.bde appears.
Create a file system on it:
  # newfs -U -O2 /dev/md0.bde
That's all, you can disassemble the whole structure, if you no longer need it (for more details, see below):
  # gbde detach / dev / md0;  mdconfig -d -u 0

We connect


Here, I think, unfamiliar teams will not be:
  # mdconfig -a -t vnode -f / mnt / nokia / virt-fs -u 0
 # gbde attach / dev / md0
 # mount /dev/md0.bde / mnt-private
Now an encrypted file system is mounted in / mnt-private, located in the / mnt / nokia / virt-fs file and any program can use it (by the way, they are driving simlinks!).

Disable


It's still easier here:
  # umount / mnt-private
 # gbde detach / dev / md0
 # mdconfig -d -u 0
Please note that if one of these commands does not work (for example, the file system is busy and not unmounted), then the rest will not work either. This must be taken into account when writing a connection / disconnection script.

That's all


Now, if the enemy kidnaps my “nokiyu”, then nothing can be disassembled in the virt-fs file.

All success and safety of private data!

Source: https://habr.com/ru/post/76643/

More articles:


All Articles