Disk encryption is becoming more important in our day to day life, specially when you have access to some corporate servers or “top secret” files.
I love FreeBSD, it’s simple, rock-solid, easy to use, the handbook is amazing! It also has the option to encrypt the disks during installation. I use FreeBSD everywhere (and TrueOS on my laptop), but disk encryption takes a lot of power, so I chose instead of doing full disk encryption in my laptop, I’ll just have a small media like a USB drive or ZFS ZVOL and encrypt that.
Here’s how to do so π
If you compiled your own kernel ensure it contains these options
options GEOM_ELI
device crypto
Now, make sure crypto and geom_eli is loaded and add these lines to /boot/loader.conf:
crypto_load=YES
geom_eli_load=YES
Let’s move on.
Now, we need the partition that we are going to encrypt it.
In case it’s a USB drive that you want to encrypt, here’s what to do. First, plug-in the USB drive into your computer. Now, let’s check it’s GEOM class name.
# geom disk list
Geom name: ada0
Providers:
1. Name: ada0
Mediasize: 480103981056 (447G)
Sectorsize: 512
Mode: r1w1e2
descr: SanDisk Ultra II 480GB
lunid: 5001b444a4a40542
ident: 162265428493
rotationrate: 0
fwsectors: 63
fwheads: 16
Geom name: da0
Providers:
1. Name: da0
Mediasize: 4004511744 (3.7G)
Sectorsize: 512
Mode: r0w0e0
descr: SanDisk Cruzer Fit
lunname: SanDisk Cruzer Fit 4C532000030211123165
lunid: SanDisk Cruzer Fit 4C532000030211123165
ident: 4C532000030211123165
rotationrate: unknown
fwsectors: 63
fwheads: 255
Destroy and Create New Partitions
Okay, as we can see it’s da0. First, let’s destroy it and make a new partition on it! (Make sure you backup your data in case you have any important files).
# gpart destroy -F da0
da0 destroyed
# gpart create -s GPT da0
da0 created
# gpart add -t freebsd-ufs -i 1 da0
da0p1 added
In my case, I didn’t want to use a USB drive, I wanted to have an encrypted ZVOL, here’s how to do that as well.
First, create a ZVOL
# zfs create -V 1G zroot/private
Okay, so, in case of a USB drive, we have a partition waiting for us, in case of ZVOL, we have 1GB volume.
Let’s encrypt those!
Initiating Encryption
There are multiple ways to encrypt a disk, check geli(8) for detailed info. Here I’ll show you two options.
- Encrypting with a master key that is protected with a passphrase.
- Encrypting with a passphrase only.
For the first option first, generate a key!
# dd if=/dev/random of=/root/master.key bs=64 count=1
Now we initialize the provider which needs to be encrypted.
# geli init -s 4096 -K /root/master.key /dev/da0p1
or in case of ZVOL
# geli init -s 4096 -K /root/master.key /dev/zvol/zroot/private
You’ll be asked to enter your passphrase, twice.
For the second option, it’s exactly the same command without -K /root/master.key. So for the ZVOL it would be
# geli init -s 4096 /dev/zvol/zroot/private
Attaching Encrypted Disks
Now we can attach the provider with the generated key or without it, here’s an example.
# geli attach -k /root/master.key /dev/da0p1
You will be asked for your passphrase.
Or without the key, only the passphrase, here’s an example.
# geli attach /dev/zvol/zroot/private
This creates a new device with .eli extention:
# ls /dev/zvol/zroot/private
private.eli% private%
Create New File System
First, let’s randomize whatever is on the device and then format it with UFS file system.
# dd if=/dev/random of=/dev/zvol/zroot/private.eli bs=1m
# newfs /dev/zvol/zroot/private.eli
Mount and Use
# mount /dev/zvol/zroot/private.eli /mnt/private
# echo 'some data' > /mnt/private/mytopsecretdata
Detaching Encrypted Volume
# umount /mnt/private
# geli detach /dev/zvol/zroot/private.eli