FreeBSD Disk Encryption

As part of my migration to FreeBSD, I decided I’d better set up disk encryption from the get-go. I’m not too worried about encrypting the software, I’m more worried about someone getting hold of my laptop in a powered-off state and trawling my personal data for interesting tidbits, like passwords. The most worrying are email passwords, which are stored in plaintext (or near enough to it) by both claws-mail and pidgin. But it’s also quite useful to have emails and other documents protected too.

I chose to use the geli system, using documentation found here.

Setting this up proved to be ridiculously easy. I chose not to use a keyfile, but just encrypt the partition with a password. I’m not feeling totally paranoid.

First you initialise a geli-encrypted partition, protected by a password:

# geli init -s 4096 /dev/ada0p3

This initialises the partition with a block size of 4kB. Geli asks for a password.

Then you get geli to create a new device file, based on the encrypted partition, that’s unencrypted and upon which a normal filesystem can be created.

# geli attach /dev/ada0p3

Geli asks for the password at this point, and creates /dev/ada0p3.eli, which can be used as the device file for creating a new filesystem.

# newfs /dev/ada0p3.eli

Create a filsystem on the encrypted device, and you’re done.

FreeBSD is smart enough to attach geli-encrypted partitions at boot time, so halfway through the boot process the machine stops and waits for you to enter the password to decrypt the partition.

Posted Wednesday, March 16, 2016

Blog contents