Synopsis

This paper describes how to encrypt a file system on FreeBSD using GELI with 448bit Blowfish encryption. See the GELI(8), MDCONFIG(8) and NEWFS(8) manual pages for more detailed description of the commands and parameters.

This example will use a memory disk, however if you're using a physical disk then skip step 1. and substitute /dev/md0 with your disk's DSF.

Description

1. If a memory disk is to be used then this needs to be created first. The following commands create a 10GB file and then a vnode DSF /dev/md0:

   # dd if=/dev/urandom of=/usr/geli.vol bs=1M count=10240
   # mdconfig -a -t vnode -f /usr/geli.vol -u 0

2. The first step in creating an encrypted file system is to generate an encryption key. The following creates a 448 bit key:

   # dd if=/dev/urandom of=/geli.key bs=56 count=1

3. The disk is then initialised using the above encryption key (plus a few other parameters; 4K block size, Blowfisk Encryption, 448 bits) and a password:

   # geli init -s 4096 -e Blowfish -l 448 -K /geli.key /dev/md0
   > password

4. This next step must be performed everytime you want to mount the disk. It basically tells the kernel module to link the key with the disk:

   # geli attach -d -k /geli.key /dev/md0
   > password

   1. If the disk has just been initialised then a new file system must be created prior to mounting:

      # newfs -U /dev/md0.eli

5. Finally, mount the encrypted file system as per any normal file system with the exception of keying in the password:

   # mount /dev/md0.eli /mnt
   > password

To mount manually after each boot steps 1 (if applicable), 4 and 5 are necessary.

For more information on setting up encrypted file systems to automatically boot see GELI(8).