Encrypted partition in image on a live fs with Geli, FreeBSD

http://cb.vu/unixtoolbox.xhtml
http://freebsd.1045724.x6.nabble.com/growfs-failure-td6016477.html
custom on-boot script

Goal: Have an encrypted home folder, on an image file, which you mount on startup for a selected user.
Target: Live environment, filesystem to remain intact; root access.

Creating an image file to contain a filesystem for the home partition, them mounting it as a vnode. Encrypting the vnode, then mounting it at a mountpoint (/home/dach). I decided to keep the filesystem images in a /vnodes folder. The filesystem images is called /vnodes/dach.img.

truncate -s300M /vnodes/dach.img
mdconfig -at vnode -f /vnodes/dach.img -u 8001 (where this is the mdX device to be created, i.e. /dev/md8001)
geli init /dev/md8001 (where this will encrypt the device and ask for a password. This is Geli without the use of a separate key – just password-based encryption)
geli attach /dev/md8001 (to decrypt the device and create /dev/md8001.eli, which is the decrypted device)
newfs -L MYLABEL /dev/md8001.eli (where -L is the label, not required; creates a UFS filesystem)

We now have a 300 MB UFS filesystem on the dach.img, which is encrypted by Geli.

Mounting at boot:

Tedious task. Easiest way I could find to accomplish this is to add a few lines to /etc/rc.local to perform the decryption and mounting before login (in rc.local):

#!/bin/sh
mdconfig -at vnode -f /vnodes/dach.img -u 8001
geli attach /dev/md8001
mount /dev/md8001.eli /home/dach

On bootup, you’ll be prompted for the Geli password. This build assumes a single user will be on the machine (TODO: Multiuser setup where password it not always required; password can be skipped with Ctrl-C, device will not be mounted).

Changing the Geli password: Since we’re not using a key, changing the password is simply geli setkey /dev/md8001 (note that changing the password while the device is attached (decrypted) will not umount it, it will remain mounted)

Growing the filesystem.
Presuming an unmounted, detached, destroyed vnode:

umount /home/dach
geli detach /dev/md8001.eli
md -du 8001

truncate -s +100M /vnodes/dach.img
mdconfig -at vnode -f /vnodes/dach.img -u 8001
geli resize -s 300M /dev/md8001 (where 300M is always the old size of the filesystem, seems to be mandatory)
geli attach /dev/md8001
growfs /dev/md8001.eli

TODO: Mount image file post login for a selected user with a .profile file equivalent.

Temp solution: /home/dach has a .bashrc file before the encrypted image gets mounted; as the user logs in, they run a custom script using sudo (sudoers file grants NOPASSWD for “mountgeli” and “umountgeli”:

/root/mountgeli:
#!/bin/sh
_user=”$(printf $SUDO_USER | md5 | tr -dc 0-9 | head -c5)”
mdconfig -at vnode -f /vnodes/$SUDO_USER.img -u $_user
geli attach /dev/md$_user
mount /dev/md$_user.eli /home/$SUDO_USER

/root/umountgeli:
#!/bin/sh
_user=”$(printf $SUDO_USER | md5 | tr -dc 0-9 | head -c5)”
umount -f /home/$SUDO_USER
geli detach /dev/md$_user
mdconfig -du $_user

Of course this is provided the user has a .bash_logout in their encrypted image as otherwise the umout script will not be ran.