The arrow of time

Ivan Voras' blog

GEOM_SHSEC: A shared secret disk drive GEOM module

GEOM_SHSEC is one of the less frequently used GEOM modules from FreeBSD, but it is actually pretty interesting. It combines several drives (or any other entities which are presentable as GEOM devices - including USB memory keys and files) into a single virtual drive which has the property that all its constituent devices must be present and available before its contents can be accessed.

For example, you might have two USB keys which both need to be plugged in before the Very Important Secret stored on them can be read. A very neat concept!

GEOM_SHSEC is very easy to use. As a root, simply do a:

gshsec label -v secret /dev/ad0 /dev/da1
newfs -U /dev/shsec/secret
mount /dev/shsec/secret /mnt

... and that's it.

Internally, SHSEC will generate a RC4 stream which is keyed to the system's sources of entropy (i.e. the key is presumably totally random), using the arc4random() call, and XOR it with the data written to the device in such a way that all components to which it is written must be present to reconstruct the original data.

#1 Re: GEOM_SHSEC: A shared secret disk drive GEOM module

Added on 2013-09-18T14:02 by Patrick

That is amazing, thank you for sharing. Do you know if you can create an n of m setup, so any, say, 2 usb keys out of 3 can be used to recrate the secret?

#2 Re: GEOM_SHSEC: A shared secret disk drive GEOM module

Added on 2013-10-26T16:20 by crest

You can implement it by combining it with different RAID levels.

Post your comment here!

Your name:
Comment title:
Type "xxx" here:

Comments are subject to moderation and will be deleted if deemed inappropriate. All content is © Ivan Voras. Comments are owned by their authors... who agree to basically surrender all rights by publishing them here :)