From Segfault
Jump to: navigation, search

Password hashing

In FreeBSD this is configured in /etc/login.conf[1], among other settings:

       :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\


Moving temporary filesystems to tmpfs and setting them to nosuid,nodev,noexec[2] could help mitigate random program execution as well.

In FreeBSD, this can be done via entries in /etc/rc.conf:

tmpmfs_flags="-S -o noexec"                   # Do not enable soft-updates on mdmfs; enable noexec

Or, doing this manually:

echo "md    /tmp    mfs    rw,-s64m,noexec    0 0" >> /etc/fstab
mv /tmp /tmp2 && mkdir -m1777 /tmp && mount /tmp && rm -rf /tmp2

Now, mount(8) should look something like this:

$ mount | grep /tmp
/dev/md0 on /tmp (ufs, local, noexec, soft-updates)

Per-user /tmp


Encrypted disks

Initialize the GELI device:

$ dd if=/dev/random bs=64 count=1 | gpg --cipher-algo aes --symmetric --armor > key-$DEV.asc                                 # GnuPG 1.x
$ F=$(mktemp); dd if=/dev/random of=$F bs=64 count=1 && gpg --cipher-algo aes --symmetric --armor --output key-$DEV.asc $F   # GnuPG 2.x

$ gpg --decrypt key-$DEV.asc | geli init -a HMAC/SHA256 -s 4096 -K - /dev/$DEV
gpg: AES encrypted data
Enter passphrase: XXX                                            # To decrypt the GPG key
gpg: encrypted with 1 passphrase
Enter new passphrase: XXX                                        # To add a passphrase to the GELI device
Reenter new passphrase: XXX

Metadata backup can be found in /var/backups/md1.eli and can be restored with the following command:

       # geli restore /var/backups/md1.eli /dev/md1

Attach and format the newly initialized disk:

gpg --decrypt key-$DEV.asc | geli attach -k - /dev/$DEV
newfs /dev/$DEV.eli                                              # This will create a new filesystem!
mount -t ufs /dev/$DEV.eli /data

Dump metadata:

$ geli dump $DEV | head -11
Metadata on md1:
     magic: GEOM::ELI
   version: 6
     flags: 0x10
     ealgo: AES-XTS
    keylen: 128
     aalgo: HMAC/SHA256
  provsize: 104857600
sectorsize: 4096
      keys: 0x01
iterations: 173531


umount /data
geli detach $DEV.eli