GELI encryption of full drive

Lars Sommer, [email protected], 2010-01-27

Based on:

I am using harddrives two and two in RAID1 with geom_mirror.
After creating a mirror, I encrypt it using GELI.

Loading the GELI module for now:
kldload geom_eli

Insert into /boot/loader.conf:

In this example my geom_mirror is called gm2 and resides in /dev/mirror/gm2

Create the master key and attach it to the GELI provider. 
Then doing a new filesystem on it, and at last mounting it.

dd if=/dev/random of=/root/gm2.key bs=64 count=1
geli init -s 4096 -K /root/gm2.key /dev/mirror/gm2
geli attach -k /root/gm2.key /dev/mirror/gm2

dd if=/dev/random of=/dev/mirror/gm2.eli bs=1m
newfs /dev/mirror/gm2.eli
mount /dev/mirror/gm2.eli /data/2

Consider moving the master key to somewhere safer. 
I use an USB stick, but I am open for better suggestions.

Daily mounting:
geli attach -k /root/gm2.key /dev/mirror/gm2
mount /dev/mirror/gm2.eli /data/2

Daily unmounting:
umount /data/2
geli detach gm2.eli

Leave a Reply

Din e-mailadresse vil ikke blive publiceret. Krævede felter er markeret med *