Tuesday, December 13, 2005

USB key/stick with UFS(GBDE) and FAT32

So, I have one of them USB sticks. I don't really use it much - but I'd like to. I'm just generally against having some (semi)-important data on, that anyone can stick into a MS Windows box and gain access to...
Well, I have my USB stick attached to my keychain, and my keychain is often with me when I'm getting drunk - so the probability of me losing my keys (hence my USB stick) is quite high.

So how to remedy, this most unfortunate situation and make good use of my USB dongle ?
What are my criterias ? I want to be able to stick it in any computer with an USB hub, and have a public place to share files. I also want to be able to have an encrypted part of the key, that I can access with FreeBSD.

First make sure you have the appropriate devices and options in your kernel config (you can find this information anywhere on the net).

When plugging in my usb device, I see the following in syslog:

Dec 13 12:15:48 mich kernel: umass0: SanDisk Corp. Cruzer Micro, rev 2.00/20.33, addr 2
Dec 13 12:15:48 mich kernel: da0 at umass-sim0 bus 0 target 0 lun 0
Dec 13 12:15:48 mich kernel: da0: Removable Direct Access SCSI-0 device
Dec 13 12:15:48 mich kernel: da0: 1.000MB/s transfers
Dec 13 12:15:48 mich kernel: da0: 125MB (256000 512 byte sectors: 64H 32S/T 125C)
Yeah, I've got one of them SanDisk Cruzer 128MB sticks.

First off, I'll partition the stick - so I have two partitions. One for FAT32 and one for UFS. If commandline fdisk(1) is too complex, you can use the fdisk(1) interface from /stand/sysinstall. (Please know what you are doing here, as you can mess of the partitions on your harddrive - should you write to the wrong device).
Also, I'm asuming you've backed up all data on your USB dongle ! No ? Well, your loss.

So - I've split up my key into two 64MB partitions (slices) - one (the first) with subtype 6 (FAT) and the second with subtype 165(UFS). To contruct the actual filesystem, I will use newfs_msdos(1) - like so:

root@mich ~# newfs_msdos -F 32 /dev/da0s1
Now - you will have a perfectly usable FAT32 partition on the first slice. Stick it into a MS Windows PC and see it work. This will function as my public share on the key.

The second slice I'll use for the encrypted part. You should not newfs(1) it, before having created the encrypted device - else you'll be able to mount two different filesystems that will write to the same sectors on the device - and we all know, that can't be good.

Start of by initializing gbde and creating a key. (Make sure you have OPTIONS GEOM_BDE compiled into your kernel, or that you have loaded the kernel module)

root@mich ~# gbde init /dev/da0s2 -i
This will bring up a template with the description of the parameters for gbde. Since I'm using an UFS filesystem, I will change the sector_size to 2048 as it should be set to the fragment size. The rest I will leave as default.
Now you will be prompted for your passphrase:

Enter new passphrase:
Fill it in twice, and voila. (The longer the passphrase, the better the encryption)

Now you can do:

root@mich ~# gbde attach /dev/da0s2
Enter passphrase:
root@mich ~# mount /dev/da0s2.bde /mnt/key

Once you are finished putting top secret files (or your porn) into /mnt/key - you should do the following:

root@mich ~# umount /mnt/key
root@mich ~# gbde detach /dev/da0s2.bde
And your porn^h^h^hdata - is now safely stored on your USB device.

PS. Don't forget your passphrase, or you'll be screwed.

No comments: