Hi all, I'm looking for a way to recreate the functionality of PGP Disk (under Win32). Basically, create an encrypted file, which contains a filesystem which can then be mounted in any mount point. I know I can use GELI in FreeBSD 6 - as I understand, it performs the encryption at the partition level (the whole partition is encrypted). I'd like to be able to simply unmount my 'secure volume', and be able to back it up as a whole, or move it to another computer without having to repartition the destination. I think GELI wouldn't be good for this. I think I've read somewhere that you could use openssl to generate an encrypted volume and then mount it. I searched for a while and can't find any reference to this. Does anyone know how to do this with openssl, OR any other tool ? thanks in advance, Beto
On Mon, Jan 23, 2006 at 09:39:52AM +1100, Norberto Meijome wrote:> Hi all, > I'm looking for a way to recreate the functionality of PGP Disk (under > Win32). Basically, create an encrypted file, which contains a filesystem > which can then be mounted in any mount point. > > I know I can use GELI in FreeBSD 6 - as I understand, it performs the > encryption at the partition level (the whole partition is encrypted). > I'd like to be able to simply unmount my 'secure volume', and be able to > back it up as a whole, or move it to another computer without having to > repartition the destination. I think GELI wouldn't be good for this.GELI or GBDE are probably what you're looking for, you just need to use mdconfig to create a vnode (file) backed disk image which you will encrypt and then create a file system on. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060122/0788de2f/attachment.bin
--- Norberto Meijome <freebsd@meijome.net> wrote:> openssl, OR any other tool ? >I have heard of gbde(8), which might be a few years old, than geli(8)... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 2006-01-23 09:39, Norberto Meijome <freebsd@meijome.net> wrote:> Hi all, > I'm looking for a way to recreate the functionality of PGP Disk (under > Win32). Basically, create an encrypted file, which contains a > filesystem which can then be mounted in any mount point. > > I know I can use GELI in FreeBSD 6 - as I understand, it performs the > encryption at the partition level (the whole partition is encrypted). > I'd like to be able to simply unmount my 'secure volume', and be able > to back it up as a whole, or move it to another computer without > having to repartition the destination. I think GELI wouldn't be good > for this.If the destination computer runs FreeBSD too, you shouldn't need to repartition at all.> I think I've read somewhere that you could use openssl to generate an > encrypted volume and then mount it. I searched for a while and can't > find any reference to this. Does anyone know how to do this with > openssl, OR any other tool ?A simple way to do this is to create a file, mount it, then encrypt it with openssl after it's unmounted and remove the unencrypted file. # truncate -s 30m /tmp/file # mdconfig -a -t vnode -f /tmp/file -u 10 # newfs_msdos /dev/md10 # mount -t msdosfs /dev/md10 ... # umount /dev/md10 # openssl enc -bf < /tmp/file > /tmp/file.encrypted enter bf-cbc encryption password:******** Verifying - enter bf-cbc encryption password:******** # rm -f /tmp/file This has the advantage that, if you use a file as a `block device' that holds a single FAT filesystem, without any partitions at all, you can then use it in other operating systems too, i.e. in Solaris you could use openssl to decrypt the encrypted file, use lofiadm(1M) to create a /dev/lofi/XXX device and mount it as a FAT filesystem too. This is not as safe as using GELI or GBDE though.