Instructions for an encrypted /etc/ =================================== 0. Turn on swap encryption -------------------------- Might as well do this before you start, if you haven't already. Edit the /etc/sysctl.conf to uncomment the vm.swapencrypt.enable=1 line. (And mount /tmp as a memory fs (mfs) too (see fstab(5) for an example.) 1. isffs program ---------------- isffs is a little program to determine if a file looks like it contains a file system. Specifically, it looks for the ffs magic number in the first super-block. This needs to be compiled with -static, and placed in /sbin. cc -static isffs.c -o isffs strip isffs cp isffs /sbin 2. static vnconfig ------------------ vnconfig is normally installed in /usr/sbin as a dynamically (run-time) linked program. A static version must be installed in /sbin, to be available at boot time. install src tree cd /usr/src/usr.sbin/vnconfig edit the Makefile and add -static to the library flags line: LDADD= -static -lutil make obj && make depend && make strip obj/vnconfig cp obj/vnconfig /sbin 3. cvn* scripts --------------- Some scripts to create, mount, and unmount vnd ffs filesystems. Copy cvn_mount, cvn_umount, and cvn_create to /sbin. 4. setup /etc.vn ---------------- First make what will become the new single-user /etc directory, and copy the few necessary files into it: mkdir /etc.vn cd /etc cp -pR fstab group localtime login.conf man.conf \ master.passwd moduli mtree passwd pwd.db spwd.db \ sysctl.conf termcap ttys /etc.vn It's better if you started with a clean system install; but if you didn't, edit the /etc.vn password and group files to delete anything you added. (And delete root's password.) 5. add the stub rc ------------------ Place the stub rc file in /etc.vn 6. make vnd filesystem ---------------------- The following will create a 5M encrypted vnd filesystem: mkdir /cvn cvn_create /cvn/cvnetc 5000 You will be prompted for your password. It only asks once, so immediately after creating it, you must test it: cvn_mount svnd0 /cvn/cvnetc /mnt If it mounts cleanly, you may then copy /etc into it: cp -pR /etc/* /mnt Then unmount: cvn_umount /mnt 7. install the stub /etc ------------------------ Move the full /etc aside: mv /etc /etc.save Move the stub /etc into place: mv /etc.vn /etc Reboot. 8. booting ---------- On boot, you should now be asked for the encryption key. Then isffs will check that the vnd device appears to contain an FFS filesystem, and if it does, will call fsck on it, and mount it on /etc. Execution will then jump to the full "real" /etc/rc, and the machine should start up normally. 9. cleanup ---------- Once you are satisfied that it all starts properly, you may delete /etc.save. Or perhaps, overwrite each of the files first, then delete them (rm -P). This is probably unecessary if you started with a clean, vanilla system, before installing anything else. (Oh, and don't use the root password you used when installing.) (Then make yourself an encrypted /home filesystem. Left as an exercise for the reader.) This all is not paranoid enough. But it's as paranoid as I feel at the moment.