Disk encryption on FreeBSD

Though I use Linux on most my workstations, I use FreeBSD on my servers. I love it compared to Linux, and I’d use it on my workstations if there was better hardware support. So I wanted to create this post highlight how to setup disk encryption with FreeBSD using GELI (as opposed to Luks, which is what I’m used to on Linux).

First, if needed, remove any partition table on the disk that you’ll be setting up the encryption on and replace it with a GPT partition table. Not a totally necessary step, as you can easily encrypt individual partitions, however this will setup full disk encryption. Keep in mind the devices in the examples should be replaced with whatever is on your system:

gpart destroy -F da0

Now, create a GPT partition table on the disk:

gpart create -s gpt da0

Next create your partition (in this case, I was setting up for a ZFS partition, substitute “freebsd-zfs” for whichever partition type you’d like to use):

gpart add -t freebsd-zfs da0

Generate your encryption key, I placed it in my /boot folder:

dd if=/dev/random of=/boot/encryption.key bs=4096 count=1

Now we’ll actually setup encryption on the device (obviously you can use different options, check out the man page if interested, however these should do well for most cases):

geli init -b -B /boot/da0p1.eli -e AES-XTS -K /boot/encryption.key -l 256 -s 4096 /dev/da0p1

To open the disk. Doing so will create a new device at /dev/[disk].eli:

geli attach -k /boot/encryption.key /dev/da0p1

Now that the disk is open, you can add it to your zfs pool or simply begin using it if you are using UFS:

zpool create [pool] /dev/da0p1.eli

You’ll need to add the following to /boot/loader.conf in order to have it mounted properly on boot:

geli_da0p1_keyfile0_load=”YES”
geli_da0p1_keyfile0_type=”da0p1:geli_keyfile0″
geli_da0p2_keyfile0_name=”/boot/encryption.key”

That’s it! Enjoy your encrypted disk.