OpenBSD encrypted fileserver HOWTO
In this document I will try to explain what it takes to get an encrypted fileserver with a webbased bittorrent-interface as mentioned here
UPDATE July 16th 2007 I also posted a new how-to which includes software RAID too, I suggest you use that how-to instead of this one.
First of all, dedicate some machine as a server. To give you an idea, in my setup, a (single) MP1800+ can take pretty good care of the encrypting involved in my network but everyone has different needs of course, but remember, with an encrypting fileserver, there’s CPU-grunt necessary for simple tasks as copying to your fileserver…
I chose to have a server with one disk where the OS resides and all ‘big disks’ to be mounted into the directory-tree but that’s not something that’s necessary or such. I did not attempt to have the OS itself encrypted, to me it seemed unneedingly complicated and way to much a ‘single-point-of-failure’ solution to what I was looking for. I did however choose for the most secure OS out there (imho), OpenBSD :-)
From this point I assume you have an OpenBSD-box with OpenBSD 3.6 (or newer) and a generic kernel (there’s plenty of excellent literature on www.openbsd.org to help you with that) and have all the services you want installed (ftp/samba/etc.).
First of all, we want to have an encrypted swap-partition (hey this is going to be an encypted fileserver after all)
Now, from the next reboot on, your swap will be encrypted :-)
Now, I assume you have one or more disks, which are empty now and you want them to be fully encrypted volumes. After adding a disk to the machine, look in the dmesg-output to see what it’s called (wd0 for instance). Now, with ‘fdisk -i wd0’ you’ll initialize the disk’s ‘real’ partition tabel for exclusive use by OpenBSD. Next we’re going to create a disklabel, with the command ‘disklabel -E wd0’ you’ll get the same prompt you saw during install, so that should be familiar. I didn’t have to change anything here (since I wanted one big partition on one big disk) but you can here, if you will.
So, now we have the disk ready for our OS, but we’re only half way… first, let’s make a filesystem on the new disk.
newfs /dev/wd0a (if a is the one big partition you made)
after this, we need to mount it properly into the directory-tree and add an fstab-entry.
mount /dev/wd0a /datacrypt/disk1 (well, that’s how I named the encrypted volumes)
and in my fstab it looks like this
-bash-3.00# cat /etc/fstab
/dev/sd0a / ffs rw 1 1 <- a 9GB SCSI-disk, my boot/OS-disk
/dev/wd0a /datacrypt/disk1 ffs rw,softdep 1 1 <- the first encrypted disk
/dev/wd1a /datacrypt/disk3 ffs rw,softdep 1 1 <- the third encrypted disk
/dev/wd2a /datacrypt/disk2 ffs rw,softdep 1 1 <- the second encrypted disk
After this we need to make a file on the new disk.
and then we need to fill it with… nothing :-)
dd if=/dev/zero of=/datacrypt/disk1/cryptfile bs=512 count=384551416
From the disklabel and fdisk we did earlier, we should know how many blocks (being 512 or 1024-byte blocks) there are on the disk. (my experience is, that it still works, even if you set the count too high)
Now we need to make up where we want the accessible/readable part to be mounted. In my case, that’s /data/disk1
(update 16/07/07 I’ve updated a little here and changed svnd0c in svnd0a … )
We’re going to use vnconfig to associate the cryptfile on the disk with this mountpoint and of course including the encryption…
/usr/sbin/vnconfig -ck -v svnd0 /datacrypt/disk1/cryptfile
Now you will be asked for the encryption-key… enter something good (and something you’ll never ever forget!)
If everything worked out, it’ll also show you how big your new ‘disk’ is:
# /usr/sbin/vnconfig -ck -v svnd0 /datacrypt/disk1/cryptfile
svnd0: 314945404928 bytes on /datacrypt/disk1/cryptfile
Now we have to initialize the disk and make a new filesystem on the encrypted partition:
fdisk -i svnd0
disklabel -E svnd0 (and again, make one ‘a’ big partition, of type 4.2BSD, of this)
Now we can go off and mount it…
mount /dev/svnd0a /data
and tada! /data/disk1 is just like your everyday mounted volume… only it’s fully encrypted :-)
Now you can go off and, for example, configure Samba to share this volume in a windows-network (if those machines only knew…)
You can unmount the volume by:
vnconfig -u -v /dev/svnd0a
I’ve added a script for convenience, cryptfs (and with multiple disks, you can just copy this script as cryptfs1 cryptfs2 and such), put it somewhere in your path and you can mount it by
- cryptfs -m
and unmount it by:
- cryptfs -u
When it’s up&running in full glory, it now looks like this:
Filesystem 512-blocks Used Avail Capacity Mounted on
/dev/sd0a 15517420 8675604 6065948 59% /
/dev/wd0a 384551416 384551364 -19227516 105% /datacrypt/disk1
/dev/wd1a 384551416 384551364 -19227516 105% /datacrypt/disk3
/dev/wd2a 192283692 192283652 -9614144 105% /datacrypt/disk2
/dev/svnd0c 378258672 174370060 184975680 49% /data/disk1
/dev/svnd1c 189137272 163543156 16137256 91% /data/disk2
/dev/svnd2c 378258672 8374120 350971620 2% /data/disk3
So…. that’s that… and then we have to install some packages for the next stage, getting TorrentFlux ( http://www.torrentflux.com/ )on the server.
I installed the following packages (and all the others, like mysql_client & python and such, are also downloaded & installed for getting the dependencies right)
You can find these packages at every OpenBSD-install-mirror, for instance:
After each download & install, follow instructions if there are any (they’ll be printed to your screen).
Only thing I changed is running Apache without chroot() . I tried to get it working with, but, then my data/download-dir also has to be within the chrooted environment and in my case (with a separate OS-disk) that’s not convenient. Next to that, the webserver is only serving inside my LAN, so from a security-PoV I think it’s not as necessary as when I would have it serve to the outside.
You can disable chroot by starting httpd with -u. In /etc/rc.conf you should have this line:
httpd_flags=”-u” # for normal use: “” (or “-DSSL” after reading ssl(8))
If you, however, decide to have a chroot-ed environment, be sure you have a hard link to the mysql.sock inside your environment, otherwise MySQL won’t work (that took me quite some time to figure out).
only necessary if you decide to keep the chroot-environment:
ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
In either case, it should work now. If you run into trouble with getting Apache/PHP/MySQL running on your box, try getting an answer online, there’s plenty of literature around for that.
I’m aware that this HOWTO isn’t at all complete and could be more extensive. If you are willing to rewrite it or use it for a more extensive version or such, feel free to do so. I’d appreciate an email if you do.
this file is also available as a plain-textfile, hereAs mentioned in the Message from Mark's family this site has been made static. This means that it will be no longer possible to comment on his ideas and projects, but that we all can continue to cherish his creativity.
you can find all of my projects overhere