Encrypted Filesystem

Martin Hinner writes on his site that the MBWE supports hardware based encryption. He even shows us how to format and mount a partition using their hardware based encryption. I have studied the scripts on the MBWE a little closer and found the following:

- Both internal shares and external (e.g. USB sticks) support hardware based encryption.
- There are no scripts to setup the internal shares
- The key is expected to reside on an iButton.
- If a iButton is plugged into the MBWE the key is extracted from it and passed to /etc/hotplug/mount_encrypted_drives.sh
- The password to extract the key from the iButton is HARDCODED!!! (shame on you - either WD or Oxford Semiconductors)

So let's configure our MBWE to use an encrypted internal share. This is useful if you're concerned about someone stealing the MBWE and then accessing the data. Also this is good if you live in a hostile environment (e.g. the USA) and want to protect data from prosecution or other governmental abuse. For the later though I don't recommend implementing the key extraction from a USB stick The better choice would be to store the key in a encrypted, password protected file on a separate machine and upon boot of the MBWE manually entering it.

WARNING: THE FOLLOWING INSTRUCTION WILL DELETE ALL DATA CURRENTLY ON YOUR MYBOOK!!!!!!!!

NOTE: These commands are assuming you are using the Linear (non-mirrored) setup for your MBWE. If you are using the mirrored setup, replace sda4 with md4 everywhere it appears.

- Choose 2 32-byte long keys. Make sure you will never loose those. I advise to store them in an encrypted file that is password protected. GPG will be helpful for that.
- umount /shares/internal
- delete the /shares/internal entry in /etc/fstab so it doesn't get mounted on startup
- Create a script /root/encdisk.sh with the following content. This will ensure that the keys you chose will not be stored in the command-line history (which is not encrypted).

#!/bin/sh

read key1
read key2

echo 0 `cat /sys/block/sda/sda4/size ` ox-crypt $key1 $key2 0 /dev/sda4 0 |/usr/sbin/dmsetup create dmsda4

- # chmod 755 /root/encdisk.sh
- execute the script and enter the two keys on two separate lines.
- # mke2fs -j /dev/mapper/dmsda4
- # mount /dev/mapper/dmsda4 /shares/internal

You now have a encrypted filesystem. If you're super paranoid then stop here. You will have to manually login to the MBWE every time it's power-cycled and execute /root/encdisk.sh to provide the keys.

If you're willing to store the keys on an external USB stick then do the following:

- Create a file "key" on the USB stick that has nothing but both 32-byte keys in it seperated by a space.
- in /etc/hotplug/mount-external-drive add the following lines to the end of the file:

if [ -f /shares/external/${disk_name}/${partition_label}/key ]
then
        cat /shares/external/${disk_name}/${partition_label}/key >> /var/keysin
        /etc/hotplug/mount_encrypted_internal_drives.sh
fi

- We have to create the mount_encrypted_internal_drives.sh as the provided mount_encrypted_drives.sh also tries to mount external USB drives and we'd be stuck in a loop here:

# cd /etc/hotplug
# head -116 mount_encrypted_drives.sh > mount_encrypted_internal_drives.sh
# echo "fi" >> mount_encrypted_internal_drives.sh
# chmod 755 mount_encrypted_internal_drives.sh

- create an entry in /etc/efstab. It appears the mount_encrypted_internal_drives.sh has a bug in it that will make it only read the first line.

# cp /etc/efstab /etc/efstab.bak
# echo sda4 dmsda4 /shares/internal > /etc/efstab

It appears that if you have the USB key inserted while the drive is starting up, it may "break" the keyring program. This can be fixed with the following:
- Edit /etc/init.d/S28keyring
- Look for the 2 lines containing "mkfifo"
- Immediately above these 2 lines, insert this line: rm -f /var/keysin /var/keysout

VoilĂ . When you power-cycle the MBWE simply plug in the USB stick with the keys and the encrypted drive will be mounted.

I hope I caught everything that I did to my device. If not please feel free to change.

Optional:
- If you would like the USB drive to be automatically unmounted so that you can pull it out after the keys have been read, edit the script /etc/hotplug/mount_encrypted_internal_drives.sh. This will flash the LED on the drive for 10 seconds indicating that you can remove the USB drive.
- Search for the line that says: debug_mesg "mounted ok"
- Add these lines immediately after:

debug_mesg "unmounting USB drive"
/var/run/block/sdc
debug_mesg "Confirm USB drive was unmounted"
if grep -q "sdc" /proc/mounts
then
    debug_mesg "USB drive not unmounted for some reason."
else
    debug_mesg "Flashing light for 10 seconds."
    echo 1 > /sys/class/leds/wdc-leds:over-temp/brightness
    sleep 10
    echo 0 > /sys/class/leds/wdc-leds:over-temp/brightness
fi

Some things to consider or to do:
- Oxford Semiconductor claims AES-128 bit encryption. Can you trust them? Do we know that there's no back-door?
- Ensure that you store the USB stick separate from the MBWE (duh).
- We might want to consider encrypting the swap partition with a random key every time the MBWE boots. I cannot guarantee that the key will never be stored in swap and would therefore be readable in a forensic analysis.
- Program an applet that reads a password from a different machine so that we could PGP encrypt the keys on the USB stick and prompt for a password on a separate computer. Now THAT would be awesome but I haven't had the time to implement this (yet).

Addendum:
I have used the hardware based disk encryption for about 2 years. I did experience some unexplainable instability of the MyBook. Every 14 or so days the system just hung. Not even pings worked. After moving to a country with privacy laws I deemed this level of security no longer necessary and re-formated the partitions to no longer use the hardware based disk encryption. Stability of the MyBook has drastically increased. This must be one of the reasons this feature was never enabled in the MyBook.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License