Disk encryption is becoming more important in our day to day life, specially when you have access to some corporate servers or “top secret” files.

I love FreeBSD, it’s simple, rock-solid, easy to use, the handbook is amazing! It also has the option to encrypt the disks during installation. I use FreeBSD everywhere (and TrueOS on my laptop), but disk encryption takes a lot of power, so I chose instead of doing full disk encryption in my laptop, I’ll just have a small media like a USB drive or ZFS ZVOL and encrypt that.

Here’s how to do so :)

If you compiled your own kernel ensure it contains these options

options GEOM_ELI
device crypto

Now, make sure crypto and geom_eli is loaded and add these lines to /boot/loader.conf:

crypto_load=YES
geom_eli_load=YES

Let’s move on.

Now, we need the partition that we are going to encrypt it. In case it’s a USB drive that you want to encrypt, here’s what to do. First, plug-in the USB drive into your computer. Now, let’s check it’s GEOM class name.

# geom disk list
Geom name: ada0
Providers:
1. Name: ada0
   Mediasize: 480103981056 (447G)
   Sectorsize: 512
   Mode: r1w1e2
   descr: SanDisk Ultra II 480GB
   lunid: 5001b444a4a40542
   ident: 162265428493
   rotationrate: 0
   fwsectors: 63
   fwheads: 16

Geom name: da0
Providers:
1. Name: da0
   Mediasize: 4004511744 (3.7G)
   Sectorsize: 512
   Mode: r0w0e0
   descr: SanDisk Cruzer Fit
   lunname: SanDisk Cruzer Fit      4C532000030211123165
   lunid: SanDisk Cruzer Fit      4C532000030211123165
   ident: 4C532000030211123165
   rotationrate: unknown
   fwsectors: 63
   fwheads: 255

Destroy and Create New Partitions

Okay, as we can see it’s da0. First, let’s destroy it and make a new partition on it! (Make sure you backup your data in case you have any important files).

# gpart destroy -F da0
da0 destroyed
# gpart create -s GPT da0
da0 created
# gpart add -t freebsd-ufs -i 1 da0
da0p1 added

In my case, I didn’t want to use a USB drive, I wanted to have an encrypted ZVOL, here’s how to do that as well. First, create a ZVOL

# zfs create -V 1G zroot/private

Okay, so, in case of a USB drive, we have a partition waiting for us, in case of ZVOL, we have 1GB volume.

Let’s encrypt those!

Initiating Encryption

There are multiple ways to encrypt a disk, check geli(8) for detailed info. Here I’ll show you two options.

  • Encrypting with a master key that is protected with a passphrase.
  • Encrypting with a passphrase only.

For the first option first, generate a key!

# dd if=/dev/random of=/root/master.key bs=64 count=1

Now we initialize the provider which needs to be encrypted.

# geli init -s 4096 -K /root/master.key /dev/da0p1

or in case of ZVOL

# geli init -s 4096 -K /root/master.key /dev/zvol/zroot/private

You’ll be asked to enter your passphrase, twice.

For the second option, it’s exactly the same command without -K /root/master.key. So for the ZVOL it would be

# geli init -s 4096 /dev/zvol/zroot/private

Attaching Encrypted Disks

Now we can attach the provider with the generated key or without it, here’s an example.

# geli attach -k /root/master.key /dev/da0p1

You will be asked for your passphrase. Or without the key, only the passphrase, here’s an example.

# geli attach /dev/zvol/zroot/private

This creates a new device with .eli extention:

# ls /dev/zvol/zroot/private
private.eli%    private%

Create New File System

First, let’s randomize whatever is on the device and then format it with UFS file system.

# dd if=/dev/random of=/dev/zvol/zroot/private.eli bs=1m
# newfs /dev/zvol/zroot/private.eli

Mount and Use

# mount /dev/zvol/zroot/private.eli /mnt/private
# echo 'some data' > /mnt/private/mytopsecretdata

Detaching Encrypted Volume

# umount /mnt/private
# geli detach /dev/zvol/zroot/private.eli

That’s all folks! :)