GBDE for denialable encrypted partition


#1

I want to set up GBDE and I want to use this to encrypt the entire partition using deniable encryption. I am not finding any good tutorials on how to set it up so any ideas how to set it up?


#2

GBDE? not sure what that is


#3

Its basically a a block device disk encryption system


#4

I read this Micheal W. Lucas book quite a while ago, but I remember he had a very good tutorial on one of the chapters on how to configure GBDE encryption.


#5

I will check it out thanks :slight_smile:


#6

Is there some online version I can read for free?


#7

why not wait a bit for ZFS on Linux (ZoL) to be finished being ported to Freebsd?


#8

I have never heard of that, what is that?


#9

time to do a bit of web searching then


#10

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/
look down at storage, encrypting.
it talks about adding a new disk but there are also plenty of links that talk about dropping to command line during the installer and setting things up.
The book @groot referenced really has a good section on it. I’m not sure if there is an electronic version (if so pretty sure not free) but the paper copy is worth having on hand.


#11
Rod has reported issues with the Lua bootloader and geli.
I've had no issue adding a Trident BE to a FreeBSD 12 install.

Native ZFS encryption with bootloader support will be simpler
when it arrives to FreeBSD from ZoL.
John
groenveld@acm.org

#12

Disclaimer This is MY opinion and MY opinion and only as a spectator/user, it in no way reflects the opinions of those in this forum or the ZoL folks, the openZFS folks or even the ZoF guys**/Disclaimer**

The way I understand it, it’s that Delphix was doing much of the coding for Illumos, and FreeBSD being a close cousin would merge code from there.

Linux thought ZFS was cool, and started the ZFS on Linux (ZoL) project some people even made the analogy that FreeBSD was like a country with clean water, and ZoL was like a country that had not discovered that using the source of your water as a toilet is what is making you sick.

They were late to the party and had zero of the features that FreeBSD/Illumos had and took much of their initial code from openZFS, FreeBSD, and Illumos.

But with thousands more developers at their disposal they where able to systematically go line by line and make it Linux compatible, bug fix, and add feautures all at the same time, of course they didn’t share any of that code.

Now ZoL has left Delphix, FreeBSD, and Illumos in the dust to the point where they have feautures that nobody else has like Native ZFS encryption, Dedup on send, and much more. To the point where Delphix threw in the towel, and are now down streaming from ZoL and openZFS is now considering ZFS on Linux the only source of truth for all Operating Systems not just Linux. Including, Illumos, and FreeBSD. From this day henceforth. So now FreeBSD will be added to the testing suite of ZoL and they (The Linux People) claim that they will not push code to Linux that breaks FreeBSD.

Disclaimer Once again I am in no way involved in any of the projects, so I only know what they’ve made public and formed My OWN opinion from that /Disclaimer

As far as your Deniable encryption goes, I’m not sure we can help. Encryption is a very diffucult subject and if you choose to buy the book, it has a section that describes when to encrypt and when not to. As encryption is not always the answer.

I’m also not sure, but I vaguely remember GBDE will not do full disk encryption, GELI will for sure, but GELI is not working on Trident at the moment. The other option would be to wait for the Native ZFS encryption from the ZFS on Linux folks to be merged to the FreeBSD tree and then to the Trident Tree, and then you can do full disk encrypton natively.


#13
GELI works fine for me with Trident, though Rod warns YMMV.
John
groevneld@acm.org

#14

the freebsd forums have many unhappy campers with geli, which is why I say YMMV


#15

@groot that all matches my understanding of ZFS/Solaris/Oracle/OpenZFS/IllumOs/Delphix/FreeBSD/ZoL.

A lot of this all really boils down to “What exactly do you want to achieve?” Simply saying “deniable encryption” means next to nothing. Do you want “encrypted filesystems that look like random data or uninitialized disk?” or do you want “an encrypted partition that looks like a red house when not mounted but is actually a blue house when mounted”.
Again What do you want?

I personally circle around to what is it you want to keep safe? Typically user data is what’s important. Encrypted OS and applications to me are a waste of resources.
Then circle back around to “when”: powered off, powered on, mounted, unmounted? Typically most things specify “data at rest” so data that is physically present on the disk must be encrypted. Why? So that if the machine is powered off and the disk physically removed from the system and mounted on another system it is unreadable. Once a machine is powered on and the encrypted partition mounted, it’s not encrypted anymore.

So given all that, if I were to encrypt things on a system, I’d simply do user home directory (because that’s where most of the user data lives like web browser cache and others) and system swap (temp files). That should be reasonably trivial to do with existing FreeBSD base crypto.

But that is just my opinion on what I’d do.


#16

Is GELI still being supported to this day?

Can GBDE at least encrypt your swap file? So upon boot you are prompted for a password before the OS can open your swap file if it was hibernated?


#17

At this point since the options are very limitted anything will do, as long it is deniably encrypted.

I also don’t mind that IF I can also encrypt the swap file as well as I do hibernate.


#18

I think it will do anything below the root partition, but not the root partition, that’s why you can’t have Full Disk encryption… If you don’t want to spend money on the book. The FreeBSD handbook has a good section on GBDE


#19

GELI and GBDE are both supported in FreeBSD.
Slightly different target users.
Hibernate does not protect the data. Machine gets stolen bring out of hibernate and data is available.
If you are truly concerned, machine is either powered on or powered off


#20

Isn’t it possible for GBDE to encrypt the swap file though or GELI to encrypt the entire partition which contains the swap file, I don’t know that is why I am asking you?