尝试在 FreeBSD10.3 GELI/Blowfish-CBC 上添加加密分区。/ 和 /swap 上的 AES 工作正常,但我无法使用 Blowfish 添加额外的加密分区。以下是我所做的方式:
# mount -o exec /dev/da2p1 /mnt/storekey
# gpart create -s gpt da1
da1 created
# gpart add -t freebsd-ufs -l usrdata da1
da1p1 added
# newfs gpt/usrdata
gpt/usrdata: 102400.0MB (209715128 sectors) block size 32768, fragment size 4096
using 164 cylinder groups of 626.09MB, 20035 blks, 80256 inodes.
super-block backups (for fsck_ffs -b #) at:
192, 1282432, 2564672, 3846912, 5129152, 6411392, 7693632, 8975872, 10258112, 11540352, 12822592, 14104832,
15387072, 16669312, 17951552, 19233792, 20516032, 21798272, 23080512, 24362752, 25644992, 26927232,
28209472, 29491712, 30773952, 32056192, 33338432, 34620672, 35902912, 37185152, 38467392, 39749632,
41031872, 42314112, 43596352, 44878592, 46160832, 47443072, 48725312, 50007552, 51289792, 52572032,
53854272, 55136512, 56418752, 57700992, 58983232, 60265472, 61547712, 62829952, 64112192, 65394432,
66676672, 67958912, 69241152, 70523392, 71805632, 73087872, 74370112, 75652352, 76934592, 78216832,
79499072, 80781312, 82063552, 83345792, 84628032, 85910272, 87192512, 88474752, 89756992, 91039232,
92321472, 93603712, 94885952, 96168192, 97450432, 98732672, 100014912, 101297152, 102579392, 103861632,
105143872, 106426112, 107708352, 108990592, 110272832, 111555072, 112837312, 114119552, 115401792,
116684032, 117966272, 119248512, 120530752, 121812992, 123095232, 124377472, 125659712, 126941952,
128224192, 129506432, 130788672, 132070912, 133353152, 134635392, 135917632, 137199872, 138482112,
139764352, 141046592, 142328832, 143611072, 144893312, 146175552, 147457792, 148740032, 150022272,
151304512, 152586752, 153868992, 155151232, 156433472, 157715712, 158997952, 160280192, 161562432,
162844672, 164126912, 165409152, 166691392, 167973632, 169255872, 170538112, 171820352, 173102592,
174384832, 175667072, 176949312, 178231552, 179513792, 180796032, 182078272, 183360512, 184642752,
185924992, 187207232, 188489472, 189771712, 191053952, 192336192, 193618432, 194900672, 196182912,
197465152, 198747392, 200029632, 201311872, 202594112, 203876352, 205158592, 206440832, 207723072, 209005312
# dd if=/dev/random of=/mnt/storekey/da0p1b.k bs=64 count=1
1+0 records in
1+0 records out
64 bytes transferred in 0.000032 secs (1988411 bytes/sec)
# geli init -s 4096 -K /mnt/storekey/da0p1b.k -e Blowfish-CBC -a hmac/sha256 -l 448 gpt/usrdata
Enter new passphrase:
Reenter new passphrase:
Metadata backup can be found in /var/backups/gpt_usrdata.eli and
can be restored with the following command:
# geli restore /var/backups/gpt_usrdata.eli gpt/usrdata
# geli attach -k /mnt/storekey/da0p1b.k gpt/usrdata
Enter passphrase:
# newfs gpt/usrdata.eli
gpt/usrdata.eli: 91022.2MB (186413448 sectors) block size 32768, fragment size 4096
using 146 cylinder groups of 626.09MB, 20035 blks, 80256 inodes.
newfs: can't read old UFS1 superblock: read error from block device: Invalid argument
好的,谷歌说我需要用随机输出来销毁数据:
# dd if=/dev/random of=gpt/usrdata.eli bs=8m
dd: gpt/usrdata.eli: No such file or directory
好的,我想检查一下:
# geli list
Geom name: da0p4.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: software
Version: 7
UsedKey: 0
Flags: BOOT
KeysAllocated: 50
KeysTotal: 50
Providers:
1. Name: da0p4.eli
Mediasize: 26843378688 (25G)
Sectorsize: 512
Mode: r1w1e1
Consumers:
1. Name: da0p4
Mediasize: 26843379200 (25G)
Sectorsize: 512
Stripesize: 0
Stripeoffset: 1073891328
Mode: r1w1e1
Geom name: gpt/swap.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: software
Version: 7
Flags: ONETIME, W-DETACH, W-OPEN
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: gpt/swap.eli
Mediasize: 4294967296 (4.0G)
Sectorsize: 4096
Mode: r1w1e0
Consumers:
1. Name: gpt/swap
Mediasize: 4294967296 (4.0G)
Sectorsize: 512
Stripesize: 0
Stripeoffset: 1073891328
Mode: r1w1e1
Geom name: gpt/usrdata.eli
State: ACTIVE
EncryptionAlgorithm: Blowfish-CBC
KeyLength: 448
AuthenticationAlgorithm: HMAC/SHA256
Crypto: software
Version: 7
UsedKey: 0
Flags: AUTH
KeysAllocated: 200
KeysTotal: 200
Providers:
1. Name: gpt/usrdata.eli
Mediasize: 95443685376 (89G)
Sectorsize: 4096
Mode: r0w0e0
Consumers:
1. Name: gpt/usrdata
Mediasize: 107374148096 (100G)
Sectorsize: 512
Stripesize: 0
Stripeoffset: 17408
Mode: r1w1e1
# ls /dev
acpi da0p2 geom.ctl mem sndstat ttyv9
apm da0p3 gpt midistat stderr ttyva
apmctl da0p4 gptid mpt0 stdin ttyvb
atkbd0 da0p4.eli hpet0 nfslock stdout ttyvc
audit da1 io null sysmouse ttyvd
bpf da1p1 iso9660 pass0 ttyv0 ttyve
bpf0 da2 kbd0 pass1 ttyv1 ttyvf
bpsm0 da2p1 kbd1 pass2 ttyv2 ufssuspend
cd0 devctl kbdmux0 pass3 ttyv3 urandom
console devctl2 klog pci ttyv4 usbctl
consolectl devstat kmem psm0 ttyv5 xpt0
ctty fd led pts ttyv6 zero
da0 fd0 log random ttyv7
da0p1 fido mdctl reroot ttyv8
出了什么问题?谢谢您的帮助。
答案1
需要使用完整的设备名称:
dd if=/dev/random of=/dev/gpt/usrdata.eli bs=1m
newfs /dev/gpt/usrdata.eli
在这里得到这个解决方案:https://forums.freebsd.org/threads/57051/#post-324890