FreeBSD USB Disk and ZVOL Encryption with GELI
Disk encryption is becoming more important in our day to day life, specially when you have access to some corporate servers or “top secret” files.
I love FreeBSD, it’s simple, rock-solid, easy to use, the handbook is amazing! It also has the option to encrypt the disks during installation. I use FreeBSD everywhere (and TrueOS on my laptop), but disk encryption takes a lot of power, so I chose instead of doing full disk encryption in my laptop, I’ll just have a small media like a USB drive or ZFS ZVOL and encrypt that.
Here’s how to do so :)
If you compiled your own kernel ensure it contains these options
options GEOM_ELI device crypto
Now, make sure
geom_eli is loaded and add these lines to
Let’s move on.
Now, we need the partition that we are going to encrypt it. In case it’s a USB drive that you want to encrypt, here’s what to do. First, plug-in the USB drive into your computer. Now, let’s check it’s GEOM class name.
# geom disk list Geom name: ada0 Providers: 1. Name: ada0 Mediasize: 480103981056 (447G) Sectorsize: 512 Mode: r1w1e2 descr: SanDisk Ultra II 480GB lunid: 5001b444a4a40542 ident: 162265428493 rotationrate: 0 fwsectors: 63 fwheads: 16 Geom name: da0 Providers: 1. Name: da0 Mediasize: 4004511744 (3.7G) Sectorsize: 512 Mode: r0w0e0 descr: SanDisk Cruzer Fit lunname: SanDisk Cruzer Fit 4C532000030211123165 lunid: SanDisk Cruzer Fit 4C532000030211123165 ident: 4C532000030211123165 rotationrate: unknown fwsectors: 63 fwheads: 255
Destroy and Create New Partitions
Okay, as we can see it’s da0. First, let’s destroy it and make a new partition on it! (Make sure you backup your data in case you have any important files).
# gpart destroy -F da0 da0 destroyed # gpart create -s GPT da0 da0 created # gpart add -t freebsd-ufs -i 1 da0 da0p1 added
In my case, I didn’t want to use a USB drive, I wanted to have an encrypted ZVOL, here’s how to do that as well. First, create a ZVOL
# zfs create -V 1G zroot/private
Okay, so, in case of a USB drive, we have a partition waiting for us, in case of ZVOL, we have 1GB volume.
Let’s encrypt those!
There are multiple ways to encrypt a disk, check geli(8) for detailed info. Here I’ll show you two options.
- Encrypting with a master key that is protected with a passphrase.
- Encrypting with a passphrase only.
For the first option first, generate a key!
# dd if=/dev/random of=/root/master.key bs=64 count=1
Now we initialize the provider which needs to be encrypted.
# geli init -s 4096 -K /root/master.key /dev/da0p1
or in case of ZVOL
# geli init -s 4096 -K /root/master.key /dev/zvol/zroot/private
You’ll be asked to enter your passphrase, twice.
For the second option, it’s exactly the same command without
-K /root/master.key. So for the ZVOL it would be
# geli init -s 4096 /dev/zvol/zroot/private
Attaching Encrypted Disks
Now we can attach the provider with the generated key or without it, here’s an example.
# geli attach -k /root/master.key /dev/da0p1
You will be asked for your passphrase. Or without the key, only the passphrase, here’s an example.
# geli attach /dev/zvol/zroot/private
This creates a new device with
# ls /dev/zvol/zroot/private private.eli% private%
Create New File System
First, let’s randomize whatever is on the device and then format it with UFS file system.
# dd if=/dev/random of=/dev/zvol/zroot/private.eli bs=1m # newfs /dev/zvol/zroot/private.eli
Mount and Use
# mount /dev/zvol/zroot/private.eli /mnt/private # echo 'some data' > /mnt/private/mytopsecretdata
Detaching Encrypted Volume
# umount /mnt/private # geli detach /dev/zvol/zroot/private.eli