FreeWDE is a “minimal install” FreeBSD image that you can write to a USB stick or SD-card. When booted from, FreeWDE will ask some questions and then create an AES-256 encrypted partition on the same device. It will then copy the operating system there. You call tell FreeWDE to additionally install an unencrypted FAT32 (Windows) partition which will make a USB stick or SD-card seem like a normal storage device to Windows or Mac machines. It can hold your camera’s pictures or be used for files that you want to move in and out of an offline encrypted system. You can set sizes for all these partitions as well as for the encrypted swap. You can also opt to mount /tmp and /var/log as tmpfs ramdisks.
Or, in normal language, you boot from a stick or any other device and get a basic unix operating system that is fully encrypted and not any slower than it needs to be. Of course, you’ll still want to use the fastest media you can get hold of, and a bit of processor speed for the crypto doesn’t hurt either. It runs fine on my eeePC 1005PE.
This just installs a basic FreeBSD unix system. It does not include X-Windows, web-browsers, mail clients or whatever else you’d like. You can of course install all that after the encryption is set up. Or compile your own image with everything you need already packaged in it.
Please have a play if you are so inclined, and use the comments to tell me what you think.
Download FreeWDE-v0.1.zip by right-clicking and selecting ‘Save As’. Unzip the file.
You need to copy this unzippped image file to a disk device, generally a USB stick, an SD-card or a removable drive. It doesn’t help to simply copy the file, you need to ‘low level write’ the contents of the file to the disk.
IF YOU CONTINUE, YOU WILL BE WRITING DATA DIRECTLY TO A DISK DEVICE. PLEASE NOTE THAT THIS MAY, IN SOME CASES WITHOUT ANY WARNINGS, OVERWRITE THE DISK DEVICE YOU CHOOSE. SO PLEASE TAKE EXTREME CARE TO PICK THE DISK YOU ACTUALLY WANT TO INSTALL THIS ON, NOT THE HARD DISK WITH ALL YOUR WORK ON IT. REGULAR BACKUPS ARE ALWAYS A GOOD IDEA, AND RIGHT NOW IS A BETTER THAN AVERAGE TIME TO MAKE ONE.
On Mac/OSX, Linux, FreeBSD or other unix machine this is done with ‘dd’ from the command prompt as follows:
sudo dd if=<image file> of=<disk device> bs=1M
where <image file> is the file you just downloaded and <disk device> is the unix filename for the disk device. On a Mac, DO NOT USE /dev/disk0 (zero) as it is usually the system boot disk. You will be VERY sad if you write my file to it in this way.
On a machine running some version of Microsoft Windows, download a program called physdiskwrite and use it to write the image to the disk you’d like to run this from.
If you then shut down and boot from the stick, disk or card you just installed this on, you should, after the normal FreeBSD boot sequence, be presented with a dialog as follows. My answers in this example installation (to an 8 GB Sandisk Extreme 30 MB/s SD-card) are in bold.
Welcome to FreeWDE, the FreeBSD with Whole Disk Encryption installer
This script will help you create a bootable disk with multiple “slices”. One will be unencrypted and will hold the files needed to boot. In fact, we will reuse the part that you just booted from and just keep it as it is.
Then there’s the encrypted slice that this is all about. It is encrypted with AES-256 and holds either one or two partitions. There’s at least the root filesystem, and if you so choose there is also a swap area. And to make for a faster system on slow disks (such as many USB sticks), /tmp and /var/log can be put on tmpfs (which means they usually stay in RAM).
You can choose to install another ‘unencrypted’ slice. In there, we’ll put a regular Windows FAT32 filesystem. This means you can use the device as a regular USB disk or SD-card. To stick in your camera and take pictures on, for example.
Are you sure you want to do this? (yes/no) yes
Enter size of UNENCRYPTED slice. This size can be entered in megabytes or gigabytes. It needs to be entered as a number followed by M or G. So ’1G’ for a 1 gigabyte unencrypted slice. Enter “0″ or “none” if you do not want an unencrypted slice.
Size of unencrypted slice? 1G
Enter the size of the encrypted slice: a number immediately followed by M or G. This size includes root file system and swap. If you enter “all”, we will use the remainder of the device.
Size of encrypted slice? all
How big is the swap partition on the encrypted slice, again as a number immediately followed by the capital letter M or G. If you enter “0″ you will not have swap, so the entire encrypted slice is used for files.
Size of swap space? 2G
You can choose to wipe the disk, putting zeroes in the unencrypted slice and random data in the encrypted one. This makes sure there is no previous data that can be read, but it can take a long time depending on size and speed of the disk. So if you just bought it, you might as well enter no here.
Wipe disk? (yes/no) no
Would you like /tmp on a tmpfs (in ram) ? (yes/no) yes
We can do the same for /var/log. This does mean you’ll have to edit /etc/fstab before you can debug why something crashes.
Would you like /var/log on a tmpfs? (yes/no) yes
writing partition table
The partition table needs to be re-read, for which we need to reboot. Press enter to reboot. Installation will continue after we return.
Now the system reboots. Make sure it boots from the same disk again. You’ll see FreeBSD boot again. When that is done, the screen will clear and you’ll see:
FreeWDE – FreeBSD with Whole Disk Encryption
Continuing the installation…
Now writing random data to the new crypto slice. This might take a while. (Pressing Ctrl-T will tell you how many bytes have been written.)
This is where you pick a really strong passphrase and enter it twice to create the encrypted disk.
Enter new passphrase:
Reenter new passphrase:
Now type your passphrase once more to attach to the new encrypted disk.
Enter new passphrase:
Creating mount points and symlinks
Formatting unencrypted slice
Press enter to boot into encrypted system
After rebooting, you’ll find a virgin FreeBSD system, simply log in with ‘root’, no password. The system is the typical FreeBSD 8.0-RELEASE minimal install with a GENERIC kernel. The only difference is that the root filesystem is mounted off the secure part of the device you installed from and that swap and tmpfs have all been set up as specified during installation:
# df -h Filesystem Size Used Avail Capacity Mounted on /dev/label/crypt.elia 4.0G 161M 3.5G 4% / devfs 1.0K 1.0K 0B 100% /dev /dev/label/boota 327M 292M 8.0M 97% /mnt/boot /dev/da0s2 1.0G 48K 1.0G 0% /unencrypted tmpfs 2.9G 4.0K 2.9G 0% /tmp tmpfs 2.9G 60K 2.9G 0% /var/log # swapinfo Device 1K-blocks Used Avail Capacity /dev/label/crypt.elib 2097152 0 2097152 0%
The big cosmetic issue
If you boot into the encrypted system, it might seem as if the system hangs. Then if you read back a few lines, you’ll notice that the system is asking for your passphrase but that other parts of the boot process have put text after or on top of the prompt. You can just ignore all that and type your passphrase anyway. It is annoying and ugly, but there is not much I can do about it without going far deeper than I want to right now.
You’ll generally want to do:
echo 'powerd_enable="YES"' >> /etc/rc.conf
if you are running on a notebook or netbook, as this makes sure the system lowers the processor clock frequency if the system is idle, making the battery last much longer.
How to make your own
There are plenty of reasons to want to build your own system like this. You might be rolling out many of these, and maybe want to include your own software in the image. Or maybe you’d like to make sure that I haven’t installed something that logs your passphrase. (I could have, you know…)
The good news is that it is very easy to repeat what I did. All you need is this shell script and a fresh installation of FreeBSD in a slice that is so small that it just fits the files. You will also and another installation of FreeBSD to work from (which can also be on a USB stick). Start this working copy of FreeBSD and run
The <disk> is the device name (without /dev/) of the disk where the fresh copy is. Make sure it’s not mounted, the script does all that. The script will notice that there is no file ‘clean’ in the current directory. It will then use
dd to copy the s1 slice on the indicated device to ‘clean’, make some changes to the image to set it up for FreeWDE, install the installation script (which is contained in the DIY script) and copy the resulting image to the file ‘image’. If you make changes to the install script, you will not need a fresh copy of FreeBSD to test it, as the install script will simply use the copy in the file ‘clean’ from now on.