jepler/ungeli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
No description
24 commits 1 branch 0 tags 551 KiB
C 99.6%
Makefile 0.4%
Find a file
Jeff Epler f0083a97b6 Don't try to decrypt unsupported geli versions 
Version 7 is in the wild (at least in FreeBSD 10) and it changed something
about encryption that isn't handled yet:
    http://svnweb.freebsd.org/base?view=revision&revision=238116
presumably earlier versions have other differences I haven't accounted for,
so don't try to read them either.
2013-12-04 21:44:06 -06:00
.gitignore Add a program to decrypt blocks given the master key 2013-11-29 20:21:53 -06:00
geli-password Include the password which geli-test is encrypted with 2013-11-30 21:39:15 -06:00
geli-test Add the testing volume I've been using 2013-11-29 20:24:58 -06:00
GPL-3 State the license the software will be under 2013-11-29 20:21:14 -06:00
Makefile Enable compiler optimization 2013-11-30 21:39:15 -06:00
README.md Update README to reflect that Python is not needed now 2013-11-30 21:39:15 -06:00
ungeli.c Don't try to decrypt unsupported geli versions 2013-12-04 21:44:06 -06:00

README.md

ungeli

I recently started using geli-encrypted devices for offsite backups. However, I worry that in the event of a disaster I'm more likely to have a Linux machine on hand than a (k)FreeBSD machine, so I'd like to be able to read my backups.

To that end, a C / openssl program which will decrypt a volume given its passphrase or master key in hex, optionally serving it as a block device via nbd on Linux.

These utilities have only been tested on a toy-sized AES-128-XTS volume that uses a password and no keyfiles. This is the only supported cipher type, and authentication is not supported. Only blocksize 4096 has been tested, and files less than 2^20 blocks (requiring multiple keys) also have not been tested.

Requirements

  • Gnu99-compatible C compiler (tested with gcc 4.8)
  • OpenSSL (recent version required for AES-128-XTS) (tested with 1.0.1e)
  • Optional: Linux (for network block device support)

Usage

The volumes I've tested this on so far are created with nearly-default parameters: geli init -s 4096 -J geli-password block-device which gives AES-128-XTR encryption and no authentication. This is probably the only type of volume that will work. Now you can decrypt with ungeli (specify the whole key, the "..." notation above and below is not magic):

$ make
$ ./ungeli -j geli-password -n 2 geli-test
                    GNU GENERAL PUBLIC LICENSE
                       Version 3, 29 June 2007

 Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
...

You can also serve the decrypted contents via a network block device:

$ sudo ./ungeli -j geli-password geli-test /dev/nbd0 &
$ dd if=/dev/nbd0 bs=4096 count=2
                    GNU GENERAL PUBLIC LICENSE
                       Version 3, 29 June 2007

 Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
...

If that volume happens to be a compatible zpool then you can mount it with zfsonlinux as readonly:

$ sudo ./ungeli -j geli-password encrypted-zpool /dev/nbd0 &
$ sudo zpool import -d /dev -o readonly=on npool
$ cat /npool/example/GPL-3
                    GNU GENERAL PUBLIC LICENSE
                       Version 3, 29 June 2007

 Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
...

TODO

Possible areas for contribution include:

  • Support for keyfiles
  • Support for additional encryption types
  • Support for authentication
  • Support for write access
  • Refactoring / restructuring existing code to enable any of the above

License

Copyright © 2013 Jeff Epler jepler@unpythonic.net

GPLv3+ with OpenSSL linking exception

When compiled and linked "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)".