GELI encryption of full drive

GELI encryption of full drive
Lars Sommer, lasg@lasg.dk, 2010-01-27

Based on: http://www.freebsd.org/doc/handbook/disks-encrypting.html

I am using harddrives two and two in RAID1 with geom_mirror.
After creating a mirror, I encrypt it using GELI.

Loading the GELI module for now:
kldload geom_eli

Insert into /boot/loader.conf:
geom_eli_load=”YES”

In this example my geom_mirror is called gm2 and resides in /dev/mirror/gm2

Create the master key and attach it to the GELI provider.
Then doing a new filesystem on it, and at last mounting it.

dd if=/dev/random of=/root/gm2.key bs=64 count=1
geli init -s 4096 -K /root/gm2.key /dev/mirror/gm2
geli attach -k /root/gm2.key /dev/mirror/gm2

dd if=/dev/random of=/dev/mirror/gm2.eli bs=1m
newfs /dev/mirror/gm2.eli
mount /dev/mirror/gm2.eli /data/2

Consider moving the master key to somewhere safer.
I use an USB stick, but I am open for better suggestions.

Daily mounting:
geli attach -k /root/gm2.key /dev/mirror/gm2
mount /dev/mirror/gm2.eli /data/2

Daily unmounting:
umount /data/2
geli detach gm2.eli

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>