Cryptographic USB drive

By triaxx, . Permalink Computing

Why not encrypt the filesystem of our new USB Drive?

Partitioning the disk

After plugging in the new drive, let see what the kernel says about it:

# dmesg -t | tail -n5
umass0 at uhub0 port 3 configuration 1 interface 0
umass0: Seagate (0x0bc2) Expansion HDD (0x2037), rev 3.20/19.01, addr 19
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, 1 lun per target
sd0 at scsibus0 target 0 lun 0:  disk fixed

The disk is attached on the sd0 device. A GUID Partition Table (GPT) can be created to make a partition. Then, a partition can be added to the table:

# gpt create sd0
# gpt add -a 1M -l stkm5000 -t cgd sd0
/dev/rsd0: Partition 1 added: 2db519ec-b10f-11dc-b99b-0019d1879648 2048 9767538688

The type of the partition is cgd NetBSD CryptoGraphic Disk (CGD). The partition is aligned on 1 mega byte to avoid performance issue when writing small files.

Encrypting the disk

Scrubbing the disk

Before making a cryptographic filesystem, previous data should be removed. Even is the disk is new, the disk should be filled with "noise" to avoid giving any clues on where are stored real data:

# cgdconfig -s cgd0 /dev/dk3 aes-xts 256 < /dev/urandom
# dd if=/dev/zero of=/dev/rcgd0d bs=64k
# cgdconfig -u cgd0

Creating the cgd

The file produced by this command must be safely backed up:

# cgdconfig -g -V ffs -o /etc/cgd/stkm5000 adiantum 256
pkcs5_pbkdf2: calibrating iterations............................ done

The first time, a passphrase must be entered:

# cgdconfig -V re-enter cgd0 NAME=stkm5000 /etc/cgd/stkm5000
NAME=stkm5000's passphrase:
re-enter device's passphrase:

The cgd service can be started at boot time:

# cat >> /etc/rc.conf << EOF
cgd=YES
EOF

A configuration file is necessary to associate the disk to its parameter file:

# cat > /etc/cgd/cgd.conf << EOF
cgd0    NAME=stkm5000   /etc/cgd/stkm5000
EOF

Create the filesystem

A FFSv2 filesystem can be created:

# newfs -O2 -V1 /dev/cgd0
/dev/rcgd0: 4769306.0MB (9767538688 sectors) block size 32768, fragment size 4096
        using 6425 cylinder groups of 742.31MB, 23754 blks, 46848 inodes.

The filesystem can now be mounted:

# mkdir /mnt/usb
# mount -v /dev/cgd0 /mnt/usb
exec: mount_ffs -o rw /dev/cgd0 /mnt/usb
/dev/cgd0 on /mnt/usb type ffs (local, fsid: 0x1403/0x78b, reads: sync 1 async 0, writes: sync 5 async 0)

Configure / unconfigure the cgd

The cryptographic disk can be unconfigured if it is not mounted:

# cgdconfig -u cgd0

It can be configured :

# cgdconfig cgd0 NAME=stkm5000 /etc/cgd/stkm5000

All the cryptographic disks listed in the /etc/cgd/cgd.conf configuration file can be configured by a single command:

# cgdconfig -C

In the same way, all the disks can be unconfigured by:

# cgdconfig -U

Page top