Recent articles (showing 1-10 out of 69):
WARNING: This post has been marked as obsolete and may be incorrect.  It is kept for archival purposes only.
This article will tell you how to fully encrypt your hard disk in FreeBSD 9.x.  When I say 'fully', I mean as close as possible.  It will leave the bootloader and /boot folder unencrypted, but everything else will be encrypted (including your swap space).  Basically, all your data is encrypted and that's the point...
Boot from any FreeBSD 9 install medium (except bootonly), and choose Live CD at the installer menu.
For this article, I will assume you're using the /dev/ada0 disk, a 10GB /boot, a 4GB swap and remaining disk encrypted.  The contents will be encrypted using AES-XTS 256-bit encryption  with a 4 kilobit random data partial key and a passphrase (required to type on boot).  This method requires no external data (no USB sticks, no bootable CDs to boot the OS) – but does not offer two factor authentication which is better than this method.  For general encryption needs, this method is more than sufficient.
Note that more recent CPUs support AESNI flag for offloading. As GELI uses the crypto(4) framework, the OS will utilise this function of your CPU to assist the encryption to decrease CPU load.
First, we need to remove any existing GPT or MBR partition tables on the disk – ignore any 'invalid argument' messages you get at this stage:
gpart destroy -F ada0 Copy 
Now we need to initialise a new GPT partition table, as follows:
gpart create -s gpt ada0 Copy 
We will now create a 64kb boot partition (this contains the boot loader only, so is safe and required to be unencrypted):
gpart add -s 128 -t freebsd-boot ada0 Copy 
Next, we will create the /boot partition – you can adjust the sizes here if you need, but i'd suggest not shrinking it too much or you'll get into problems when doing OS upgrades later...
gpart add -s 10G -t freebsd-ufs ada0 Copy 
Now for a swap partition.  Again, you can adjust the size if needed.  This will be encrypted during boot with a one-time 256bit key.
gpart add -s 4G -t freebsd-swap ada0 Copy 
Finally, we assign the remaining data to a partition.  This will form the entire disk (excluding /boot) and will be encrypted shortly.
gpart add -t freebsd-ufs ada0 Copy 
OK, so we've created... ada0p1 (bootloader), adap2 (unencrypted /boot partition), adap3 (swap partition) and adap4 (encrypted disk partition).  We need to write the boot loader to the disk now:
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0 Copy 
Now we need to format the /boot partition:
newfs -O2 -U -m 0 -j /dev/ada0p2 Copy 
And temporarily mount it as /mnt:
mount /dev/ada0p2 /mnt Copy 
Now we will create a 4kb random data file that will form part of the encryption key:
dd if=/dev/random of=/mnt/encryption.key bs=4096 count=1 Copy 
Now we're in a position to encrypt the main disk.  This part will ask for a passphrase twice to complete:
kldload geom_eli
geli init -a HMAC/SHA256 -b -B /mnt/ada0p4.eli -e AES-XTS -K /mnt/encryption.key -l 256 -s 4096 /dev/ada0p4
geli attach -k /mnt/encryption.key /dev/ada0p4 Copy 
You will receive some messages on the console about checksum mismatches – this is normal and please ignore them.
If you have time, I recommend writing the entire disk with random data to initialise the checksums.  This is a VERY time consuming step – you can skip it if you wish, but it is recommended:
dd if=/dev/random of=/dev/ada0p4.eli bs=1m Copy 
Next we will unmount the old parition so we can mount the new "root" after formatting  (and re-mount the /boot partition too):
umount /mnt
newfs -O2 -U -j -m 6 /dev/ada0p4.eli
mount /dev/ada0p4.eli /mnt
mkdir /mnt/bootdir
mount /dev/ada0p2 /mnt/bootdir Copy 
OK, we're ready to install the OS files onto the disk now... We will install the base, kernel, src and ports tarballs as follows:
cd /mnt
unxz -c /usr/freebsd-dist/base.txz | tar xpf –
unxz -c /usr/freebsd-dist/kernel.txz | tar xpf –
unxz -c /usr/freebsd-dist/src.txz | tar xpf –
unxz -c /usr/freebsd-dist/ports.txz | tar xpf – Copy 
Note: this can take a while (especially the ports extraction) so please be patient.  If you'd like to see some kind of progress, change the "xpf" to "xvpf" and it will scroll the files to the screen as they are extracted.
Now we have to move the /boot folder to the unencrypted partition (it's really not much use if it's encrypted!) – we will also move the keyfile and backup file into the /boot folder:
mv boot bootdir/
ln -fs bootdir/boot
mv encryption.key ada0p4.eli bootdir/boot/ Copy 
Now we need to prepare a few things in the installed OS – so we will chroot into the folder:
chroot /mnt Copy 
We need to tell the boot loader to load kernel modules for decryption, and also tell it about the keyfile for the partition... edit the file /boot/loader.conf and enter the following:
vfs.root.mountfrom="ufs:/dev/ada0p4.eli"
aesni_load="YES"
geom_eli_load="YES"
geli_ada0p4_keyfile0_load="YES"
geli_ada0p4_keyfile0_type="ada0p4:geli_keyfile0"
geli_ada0p4_keyfile0_name="/boot/encryption.key" Copy 
Now we need to tell the system to encrypt our swap space using a one-time key on each boot (note: this prevents system dumps from working)... edit /etc/rc.conf and enter:
geli_swap_flags="-e AES-XTS -l 256 -s 4096 -d" Copy 
Next we need to tell the system our mountpoints... edit the file /etc/fstab and enter:
# Device         Mountpoint  FStype  Options  Dump  Pass#
/dev/ada0p4.eli  /           ufs     rw       0     0
/dev/ada0p2      /bootdir    ufs     rw       1     1
/dev/ada0p3.eli  none        swap    sw       0     0 Copy 
Now we need to initialise a few things... let's start by setting the root password:
passwd root Copy 
And configuring your timezone:
tzsetup Copy 
And initialise the sendmail aliases file:
cd /etc/mail
make aliases Copy 
You can do any other system setup you need now, such as adding users, configuring SSH or networking...  when you're done:
exit Copy 
Now we're done, we can reboot...
reboot Copy 
On boot, you will see a prompt for:
Enter passphrase for ada0p4: Copy 
Note, however, that devices are still being detected while this occurs so it may scroll off the screen (usually while detecting USB devices) – this doesn't affect your ability to enter the passphrase, but can be confusing if you're not expecting it!
Once the system is up and running, you can use it as normal.
The only point to note is that when you do an OS upgrade, during the "mergemaster" stage, it will complain that /boot is a symlink not a directory.  Simply tell it to ignore/do nothing and it will install the files as normal.
