How to Implement a Quick Encrypted /home Partition
by francisco roque

 

  1. Table of Contents

    1. Table of Contents
    2. Introduction
    3. Necessary Equipment
    4. Instructions
    5. Benchmarks
    6. Conclusion
    7. References
    8. Author, Copyright, License

     

  2. Introduction

    I have an old laptop that i carry around and needed an encrypted /home b/c i know i'll lose it sometime. Here are some easy steps for implementing such a system.

     

  3. Necessary Equipment

    A laptop running OpenBSD. Another, more secure system running OpenBSD.
    For the purpose of this document, 'supay' is the hostname of the laptop, 'viracocha' is the name of the more secure system.

    It is assumed that you know how to read manpages, compile kernels, patch files, and other simple unix tasks.

     

  4. Instructions

    Setting Up the Partition

    1. Backup your /home partition. My drive is real small so i had to remotely back it up:
      cd /
tar -zcvf - /home | ssh frisco@viracocha dd of=supay-home.tgz

    2. In single user mode, or with all other users logged out (and logged in as root), unmount /home, newfs it, mount it under a different partition name and create a large empty file in it, almost the size of the partition:
      umount /home
newfs /dev/rwd0g
mkdir /mnt/vnd
mount /dev/wd0g /mnt/vnd
#62mb file.  my /home was only 70m
dd of=/mnt/vnd/svnd0 bs=1048576 count=62

    3. Associate an encrypted vnode device with that file, newfs that device, mount it as /home and restore those files.
      vnconfig -ck svnd0 /mnt/vnd/svnd0
newfs /dev/rsvnd0c
mount /dev/svnd0c /home
ssh frisco@viracocha dd if=supay-home.tgz | tar -zxvf -

    4. Either automount the partition at bootup (human interaction will be necessary to enter that password), or put the following lines in a script and run them at first login.
      #!/bin/sh
vnconfig -k svnd0 /mnt/vnd/svnd0
mount /dev/svnd0c /home

     

    Handling Problems/Backing Up

    1. I don't mount it at boot time b/c often my battery drains, the laptop crashes and the partitions require some work to be cleaned. If this happens to you as well and you find that the partition is corrupt, these steps may restore your partition.
      First, configure the vnode (if not already done) and make sure you're using the right password, then use disklabel to reset c to 4.2BSD, finally fsck and mount the partition.
      vnconfig -ck svnd0 /mnt/vnd/svnd0
disklabel -E /dev/svdn0c
#type 'm a', enter '4.2BSD' for partition type,
#type 'w' to write new label and 'q' to quit
fsck /dev/rsvnd0c
mount /dev/svnd0c /home

      If that doesn't work then recreate the fs and restore from backup.

    2. Periodically copy the vnode file to a secure server so you have a good backup. You can use the above methods to verify the contents as well.
      scp /mnt/vnd/svnd0 frisco@viracocha:svnd0-supay
#ssh over to viracocha and do the following
vnconfig -ck svnd0 ~frisco/svnd0-supay
disklabel -E /dev/svnd0c   
#type 'm a', enter '4.2BSD' for partition type, 
#type 'w' to write new label and 'q' to quit
fsck /dev/rsvnd0c
mkdir /mnt/supay-home
mount /dev/svnd0c /mnt/supay-home
#/mnt/supay-home is your laptop's /home directory

      If these steps don't work for you then you will want to make sure you backup all the files in the /home partition, not just the vnode file.

     

  5. Benchmarks

    Benchmarks comparing vnd to straight disk IO were run as part of a separate project, located here.

     

  6. Conclusion

    Your laptop now has an encrypted /home partition. If someone steals it and shuts down the laptop, they will not be able to recover files from that partition until they crack your password. If they steal your laptop and you have a shell open, of course they'll have the rights of that shell. Be sure to always run a locking screensaver (that doesn't crash) as well as take other precautions (like keeping patches up to date).

     

  7. References

    References from this doc and for more info.

    Manpages:
    vnconfig(8), newfs(8), disklabel(8), fsck(8), dd(1)

    Other howto's and docs:
    OpenBSD Encrypted Virtual Filesystem Mini-HOWTO more generic than this, go read it now.
    deadly.org discussion about the above mini howto
    Encrypted filesystems? another discussion on deadly.org, covers some security issues with such implemenations (don't lock yourself into a false sense of security).
    Incan Gods and Goddesses - where i get the names for my machines from.

     

  8. Author, Copyright, License

    The author of this document is francisco roque, who can be found at
    http://www.blackant.net/

    This document is copyright francisco roque 2002.

    This document is released under BSD style license and may be used in whole or part for anything so long as this section remains intact.

    The author takes no responsibility for damages incurred by following the steps in this document, including but not limited to the loss of data or damage to hardware. Good Luck.