disks-encrypting.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Encrypting Disk Partitions</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="Storage" href="disks.html" />
<link rel="PREVIOUS" title="File System Quotas" href="quotas.html" />
<link rel="NEXT" title="The Vinum Volume Manager" href="vinum-vinum.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="quotas.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 12. Storage</td>
<td width="10%" align="right" valign="bottom"><a href="vinum-vinum.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="DISKS-ENCRYPTING" name="DISKS-ENCRYPTING">12.13. Encrypting Disk
Partitions</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Contributed by</span> Lucky Green.</i> 

<p>FreeBSD offers excellent online protections against unauthorized data access. File
permissions and Mandatory Access Control (MAC) (see <a href="mac.html">Section 10.12</a>)
help prevent unauthorized third-parties from accessing data while the operating system is
active and the computer is powered up. However, the permissions enforced by the operating
system are irrelevant if an attacker has physical access to a computer and can simply
move the computer's hard drive to another system to copy and analyze the sensitive
data.</p>

<p>Regardless of how an attacker may have come into possession of a hard drive or
powered-down computer, <b class="APPLICATION">GEOM Based Disk Encryption (gbde)</b> can
protect the data on the computer's file systems against even highly-motivated attackers
with significant resources. Unlike cumbersome encryption methods that encrypt only
individual files, <b class="APPLICATION">gbde</b> transparently encrypts entire file
systems. No cleartext ever touches the hard drive's platter.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN18560" name="AEN18560">12.13.1. Enabling gbde in the
Kernel</a></h2>

<div class="PROCEDURE">
<ol type="1">
<li>
<p><b>Become <tt class="USERNAME">root</tt></b></p>

<p>Configuring <b class="APPLICATION">gbde</b> requires super-user privileges.</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">su -</kbd>
Password:
</pre>
</li>

<li>
<p><b>Verify the Operating System Version</b></p>

<p><span class="CITEREFENTRY"><span class="REFENTRYTITLE">gbde</span>(4)</span> requires
FreeBSD 5.0 or higher.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">uname -r</kbd>
5.0-RELEASE
</pre>
</li>

<li>
<p><b>Add <span class="CITEREFENTRY"><span class="REFENTRYTITLE">gbde</span>(4)</span>
Support to the Kernel Configuration File</b></p>

<p>Using your favorite text editor, add the following line to your kernel configuration
file:</p>

<p><var class="LITERAL">options GEOM_BDE</var></p>

<p>Configure, recompile, and install the FreeBSD kernel. This process is described in <a
href="kernelconfig.html">Chapter 9</a>.</p>

<p>Reboot into the new kernel.</p>
</li>
</ol>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN18591" name="AEN18591">12.13.2. Preparing the Encrypted Hard
Drive</a></h2>

<p>The following example assumes that you are adding a new hard drive to your system that
will hold a single encrypted partition. This partition will be mounted as <tt
class="FILENAME">/private</tt>. <b class="APPLICATION">gbde</b> can also be used to
encrypt <tt class="FILENAME">/home</tt> and <tt class="FILENAME">/var/mail</tt>, but this
requires more complex instructions which exceed the scope of this introduction.</p>

<div class="PROCEDURE">
<ol type="1">
<li>
<p><b>Add the New Hard Drive</b></p>

<p>Install the new drive to the system as explained in <a
href="disks-adding.html">Section 12.3</a>. For the purposes of this example, a new hard
drive partition has been added as <tt class="DEVICENAME">/dev/ad4s1c</tt>. The <tt
class="DEVICENAME">/dev/ad0s1<var class="REPLACEABLE">*</var></tt> devices represent
existing standard FreeBSD partitions on the example system.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">ls /dev/ad*</kbd>
/dev/ad0        /dev/ad0s1b     /dev/ad0s1e     /dev/ad4s1
/dev/ad0s1      /dev/ad0s1c     /dev/ad0s1f     /dev/ad4s1c
/dev/ad0s1a     /dev/ad0s1d     /dev/ad4
</pre>
</li>

<li>
<p><b>Create a Directory to Hold gbde Lock Files</b></p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">mkdir /etc/gbde</kbd>
</pre>

<p>The <b class="APPLICATION">gbde</b> lock file contains information that <b
class="APPLICATION">gbde</b> requires to access encrypted partitions. Without access to
the lock file, <b class="APPLICATION">gbde</b> will not be able to decrypt the data
contained in the encrypted partition without significant manual intervention which is not
supported by the software. Each encrypted partition uses a separate lock file.</p>
</li>

<li>
<p><b>Initialize the gbde Partition</b></p>

<p>A <b class="APPLICATION">gbde</b> partition must be initialized before it can be used.
This initialization needs to be performed only once:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c</kbd>
</pre>

<p><span class="CITEREFENTRY"><span class="REFENTRYTITLE">gbde</span>(8)</span> will open
your editor, permitting you to set various configuration options in a template. For use
with UFS1 or UFS2, set the sector_size to 2048:</p>

<pre class="PROGRAMLISTING">
$FreeBSD: src/sbin/gbde/template.txt,v 1.1 2002/10/20 11:16:13 phk Exp $
#
# Sector size is the smallest unit of data which can be read or written.
# Making it too small decreases performance and decreases available space.
# Making it too large may prevent filesystems from working.  512 is the
# minimum and always safe.  For UFS, use the fragment size
#
sector_size     =       2048
[...]
</pre>

<p><span class="CITEREFENTRY"><span class="REFENTRYTITLE">gbde</span>(8)</span> will ask
you twice to type the passphrase that should be used to secure the data. The passphrase
must be the same both times. <b class="APPLICATION">gbde</b>'s ability to protect your
data depends entirely on the quality of the passphrase that you choose. <a id="AEN18635"
name="AEN18635" href="#FTN.AEN18635"><span class="footnote">[1]</span></a></p>

<p>The <tt class="COMMAND">gbde init</tt> command creates a lock file for your <b
class="APPLICATION">gbde</b> partition that in this example is stored as <tt
class="FILENAME">/etc/gbde/ad4s1c</tt>.</p>

<div class="CAUTION">
<blockquote class="CAUTION">
<p><b>Caution</b><b class="APPLICATION">gbde</b> lock files <span class="emphasis"><i
class="EMPHASIS">must</i></span> be backed up together with the contents of any encrypted
partitions. While deleting a lock file alone cannot prevent a determined attacker from
decrypting a <b class="APPLICATION">gbde</b> partition, without the lock file, the
legitimate owner will be unable to access the data on the encrypted partition without a
significant amount of work that is totally unsupported by <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">gbde</span>(8)</span> and its
designer.</p>
</blockquote>
</div>
</li>

<li>
<p><b>Attach the Encrypted Partition to the Kernel</b></p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c</kbd>
</pre>

<p>You will be asked to provide the passphrase that you selected during the
initialization of the encrypted partition. The new encrypted device will show up in <tt
class="FILENAME">/dev</tt> as <tt class="FILENAME">/dev/device_name.bde</tt>:</p>

<pre class="SCREEN">