BSD Stuff
Disk Encryption with geli on FreeBSD
20 February 2007, 00:38
I finally got around to encrypt my hard drives. I used geli to do this because I would like the system to be able to mount the encrypted drives from a reboot.
Here are the few sort steps it took to make it work.
You have to be the root user for all of this to work.
First we need to recompile the kernel and add the following
# vim /usr/src/sys/i386/conf/GENERIC| # | Code |
|---|---|
| 0001 | # geli Disk Encryption |
| 0002 | options GEOM_ELI |
| 0003 | device crypto |
Reboot after the kernel was installed successfully to get the geli modules to be loaded. Once you have reboot and have loged in again you can have a look to see if geli was loaded by running this
# sysctl -a | grep eliand you should see something like this.
kern.geom.eli.batch: 0kern.geom.eli.threads: 0kern.geom.eli.overwrites: 5kern.geom.eli.visible_passphrase: 0kern.geom.eli.tries: 3kern.geom.eli.debug: 0
If you are using an old drive you can use the following command to clear it.
# dd if=/dev/zero of=/dev/ad3 bs=1mor
# dd if=/dev/random of=/dev/ad3 bs=1mThe first option overwrites the entire disk space with zero values.
The second option does the same thing, but uses entropy instead of zero values to overwrite data.
Now that geli is loaded we can go and create a key file for the disk that we want to encrypt.
# dd if=/dev/random of=/root/ad3.key bs=64 count=1# geli init -P -s 4096 -K /root/ad3.key /dev/ad3# geli attach -p -k /root/ad3.key /dev/ad3
The -P in the geli init is used because we don’t want to be asked for a passphrase when the system boots. This is needed because later on we will edit /etc/rc.conf file to add geli so it gets loaded when booting.
After you done all this you can see if geli was loaded for this disk by running this
# ls /dev/ad3*and you should see something loke this
/dev/ad3 /dev/ad3.eliThats it geli is loaded and ready to be used on this drive.
Next we will need to set up the disk
# bsdlabel -w /dev/ad3.eli# newfs /dev/ad3.elia# mount /dev/ad3.elia /secure
Thats it your done. Your disk is now encrypt.
To detach and umount the drive run this
# umount /secure# geli detach ad3.eli
Now to set it up so that it will get mounted at boot
first edit /etc/rc.conf and add this
# vim /etc/rc.conf| # | Code |
|---|---|
| 0005 | geli_devices="ad3" |
| 0006 | geli_ad3_flags="-p -k /root/ad3.key" |
and then edit /etc/fstab and add
# vim /etc/fstab| # | Code |
|---|---|
| 0008 | /dev/ad3.elia /secure ufs rw,acls 0 0 |
Thats it, you can reboot now to see if it does work.
If the system crashed and you need to do a fsck on it use this
# fsck_ffs /dev/ad3.eliaI have 3 disks that I encrypted using geli and there seems to be a problem adding them into the /etc/rc.conf file so I wrote a simple shell script to get it mounted at the boot time. Here is the script
| # | Code |
|---|---|
| 0001 | #!/bin/sh |
| 0002 | geli attach -p -k /root/ad3.key /dev/ad3 |
| 0003 | mount /dev/ad3.elia /secure |
| 0004 | geli attach -p -k /root/ad4.key /dev/ad4 |
| 0005 | mount /dev/ad4.elia /secure1 |
| 0006 | geli attach -p -k /root/ar0.key /dev/ar0 |
| 0007 | mount /dev/ar0.elia /secure2 |
Then add this to the /etc/crontab file.
# geli start up@reboot root /root/mountgeli
After this I reboot to test it and it all worked out just fine.
Have fun encrypting your drives.
Page 1 of 1
