Well, I have my USB stick attached to my keychain, and my keychain is often with me when I'm getting drunk - so the probability of me losing my keys (hence my USB stick) is quite high.
So how to remedy, this most unfortunate situation and make good use of my USB dongle ?
What are my criterias ? I want to be able to stick it in any computer with an USB hub, and have a public place to share files. I also want to be able to have an encrypted part of the key, that I can access with FreeBSD.
First make sure you have the appropriate devices and options in your kernel config (you can find this information anywhere on the net).
When plugging in my usb device, I see the following in syslog:
Yeah, I've got one of them SanDisk Cruzer 128MB sticks.
Dec 13 12:15:48 mich kernel: umass0: SanDisk Corp. Cruzer Micro, rev 2.00/20.33, addr 2
Dec 13 12:15:48 mich kernel: da0 at umass-sim0 bus 0 target 0 lun 0
Dec 13 12:15:48 mich kernel: da0:
Removable Direct Access SCSI-0 device
Dec 13 12:15:48 mich kernel: da0: 1.000MB/s transfers
Dec 13 12:15:48 mich kernel: da0: 125MB (256000 512 byte sectors: 64H 32S/T 125C)
First off, I'll partition the stick - so I have two partitions. One for FAT32 and one for UFS. If commandline fdisk(1) is too complex, you can use the fdisk(1) interface from /stand/sysinstall. (Please know what you are doing here, as you can mess of the partitions on your harddrive - should you write to the wrong device).
Also, I'm asuming you've backed up all data on your USB dongle ! No ? Well, your loss.
So - I've split up my key into two 64MB partitions (slices) - one (the first) with subtype 6 (FAT) and the second with subtype 165(UFS). To contruct the actual filesystem, I will use newfs_msdos(1) - like so:
root@mich ~# newfs_msdos -F 32 /dev/da0s1Now - you will have a perfectly usable FAT32 partition on the first slice. Stick it into a MS Windows PC and see it work. This will function as my public share on the key.
The second slice I'll use for the encrypted part. You should not newfs(1) it, before having created the encrypted device - else you'll be able to mount two different filesystems that will write to the same sectors on the device - and we all know, that can't be good.
Start of by initializing gbde and creating a key. (Make sure you have OPTIONS GEOM_BDE compiled into your kernel, or that you have loaded the kernel module)
This will bring up a template with the description of the parameters for gbde. Since I'm using an UFS filesystem, I will change the sector_size to 2048 as it should be set to the fragment size. The rest I will leave as default.
root@mich ~# gbde init /dev/da0s2 -i
Now you will be prompted for your passphrase:
Fill it in twice, and voila. (The longer the passphrase, the better the encryption)
Enter new passphrase:
Now you can do:
root@mich ~# gbde attach /dev/da0s2
root@mich ~# mount /dev/da0s2.bde /mnt/key
Once you are finished putting top secret files (or your porn) into /mnt/key - you should do the following:
And your porn^h^h^hdata - is now safely stored on your USB device.
root@mich ~# umount /mnt/key
root@mich ~# gbde detach /dev/da0s2.bde
PS. Don't forget your passphrase, or you'll be screwed.