Disk encryption is becoming more important in our day to day life, specially when you have access to some corporate servers or “top secret” files.
I love FreeBSD, it’s simple, rock-solid, easy to use, the handbook is amazing! It also has the option to encrypt the disks during installation. I use FreeBSD everywhere (and TrueOS on my laptop), but disk encryption takes a lot of power, so I chose instead of doing full disk encryption in my laptop, I’ll just have a small media like a USB drive or ZFS ZVOL and encrypt that.
Here’s how to do so :)
If you compiled your own kernel ensure it contains these options
options GEOM_ELI device crypto
Now, make sure
geom_eli is loaded and add these lines to
Let’s move on.
Now, we need the partition that we are going to encrypt it. In case it’s a USB drive that you want to encrypt, here’s what to do. First, plug-in the USB drive into your computer. Now, let’s check it’s GEOM class name.
# geom disk list Geom name: ada0 Providers: 1. Name: ada0 Mediasize: 480103981056 (447G) Sectorsize: 512 Mode: r1w1e2 descr: SanDisk Ultra II 480GB lunid: 5001b444a4a40542 ident: 162265428493 rotationrate: 0 fwsectors: 63 fwheads: 16 Geom name: da0 Providers: 1. Name: da0 Mediasize: 4004511744 (3.7G) Sectorsize: 512 Mode: r0w0e0 descr: SanDisk Cruzer Fit lunname: SanDisk Cruzer Fit 4C532000030211123165 lunid: SanDisk Cruzer Fit 4C532000030211123165 ident: 4C532000030211123165 rotationrate: unknown fwsectors: 63 fwheads: 255
Destroy and Create New Partitions
Okay, as we can see it’s da0. First, let’s destroy it and make a new partition on it! (Make sure you backup your data in case you have any important files).
# gpart destroy -F da0 da0 destroyed # gpart create -s GPT da0 da0 created # gpart add -t freebsd-ufs -i 1 da0 da0p1 added
In my case, I didn’t want to use a USB drive, I wanted to have an encrypted ZVOL, here’s how to do that as well. First, create a ZVOL
# zfs create -V 1G zroot/private
Okay, so, in case of a USB drive, we have a partition waiting for us, in case of ZVOL, we have 1GB volume.
Let’s encrypt those!
There are multiple ways to encrypt a disk, check geli(8) for detailed info. Here I’ll show you two options.
- Encrypting with a master key that is protected with a passphrase.
- Encrypting with a passphrase only.
For the first option first, generate a key!
# dd if=/dev/random of=/root/master.key bs=64 count=1
Now we initialize the provider which needs to be encrypted.
# geli init -s 4096 -K /root/master.key /dev/da0p1
or in case of ZVOL
# geli init -s 4096 -K /root/master.key /dev/zvol/zroot/private
You’ll be asked to enter your passphrase, twice.
For the second option, it’s exactly the same command without
-K /root/master.key. So for the ZVOL it would be
# geli init -s 4096 /dev/zvol/zroot/private
Attaching Encrypted Disks
Now we can attach the provider with the generated key or without it, here’s an example.
# geli attach -k /root/master.key /dev/da0p1
You will be asked for your passphrase. Or without the key, only the passphrase, here’s an example.
# geli attach /dev/zvol/zroot/private
This creates a new device with
# ls /dev/zvol/zroot/private private.eli% private%
Create New File System
First, let’s randomize whatever is on the device and then format it with UFS file system.
# dd if=/dev/random of=/dev/zvol/zroot/private.eli bs=1m # newfs /dev/zvol/zroot/private.eli
Mount and Use
# mount /dev/zvol/zroot/private.eli /mnt/private # echo 'some data' > /mnt/private/mytopsecretdata
Detaching Encrypted Volume
# umount /mnt/private # geli detach /dev/zvol/zroot/private.eli