# Encrypt /usr with Geli



## z662 (May 12, 2011)

I recently installed 8.2 and took the defaults in regards to partitioning my hdd.  I have a partition for /, swap, /tmp, /var, and /usr.  After installing I went about customizing everything, installing bash, sudo, kde4 etc etc.  Now my setup is basically done and I want to setup geli and encrypt my /usr partition.  After reading the handbook I am starting to wonder if I should have allocated a separate partition for /home and then left /usr alone, and only encrypt /home as I am getting numerous error messages and failure to mount /usr upon boot.  After getting these error messages I disabled geli from /boot/loader.conf and can definitely post my specific error messages if need be, however before I did that I was hoping to get some feedback and thoughts from users that are currently using geli on their system.


----------



## SirDice (May 12, 2011)

You can't encrypt after the fact. You will have to backup everything on that filesystem, enable encryption and restore the data. You can't do it "on-the-fly".

Handbook: 18.16 Encrypting Disk Partitions


----------



## z662 (May 12, 2011)

That is what I was afraid of...   Would you say it would just be a better idea to re-install then?  I am not sure if backing up all of /usr would be a good idea (wondering if it would work as expected since it contains binaries and system files etc.)


----------



## SirDice (May 12, 2011)

If you already encrypted /usr/ you probably already removed everything in there. 
Or did you only turn on encryption without actually encrypting the filesystem?

So depending on what you did and what you want you may need to reinstall. 
If the filesystem is still in it's original state it might be easier just to backup /usr/home/ and encrypt that.


----------



## z662 (May 12, 2011)

I only turned on the encryption but didn't actually encrypt it.  I guess I was a bit confused on the steps listed in the handbook as it was a new process for me.  Basically what I did was set 
	
	



```
geom_eli_load="YES"
```

I then created a key 
	
	



```
# dd if=/dev/random of=/root/ad4s1f.key bs=64 count=1
# geli init -s 4096 -K /root/ad4s1f.key /dev/ad4s1f
```
  and then attached the disk.  I wasn't sure if I had done the above steps correctly, and when I tried to boot it would ask me for my passphrase but would then fail to mount the drive.  I am guessing I just need to wipe /usr/home and create the new filesystem /usr/home  as step 4 and step 5 in the handbook mention?   If so, would I be safe to backup /usr/home and do this without doing a re-install?  Even though /usr/home is not its own partition?

Thanks dice.


----------



## SirDice (May 12, 2011)

The geli init may already have overwritten some information, at least on the first part of the filesystem. But if there's no problem you may have been lucky.

But, yes, in essence you create a new filesystem (partition) on a free bit of space. Use geli init to initialize it and geli attach to attach it. Then newfs the resulting /dev/*.eli device. You can then mount it on /usr/home/. 

There's no need to reinstall anything but you will have to do this with the root account because you are moving the users' home directories around and can therefor not be logged in as a user.

Experience has taught me to always create a separate partition/filesystem for /usr/home/. That makes reinstalling the machine a whole lot easier because I can just wipe the base system without touching my files in home :e

One thing to keep in mind though, when booting a system that has an encrypted filesystem it will ask for the password during boot. You need to be at the console to type it in before the system will boot any further. If you only have remote access this can be tricky.


----------



## z662 (May 12, 2011)

I think I will just reformat and create a new partition /usr/home and give it a go again.  Is there any reason you prefer /usr/home as the partition, vs.  using /home?  In my case, would I be able to just re-partition /usr  and create a new partition for /usr/home as well or is it set in stone already?  Hopefully all will go smoothly.  It is a laptop so no remote services will ever be needed.  Thanks thus far.


----------



## SirDice (May 13, 2011)

z662 said:
			
		

> Is there any reason you prefer /usr/home as the partition, vs.  using /home?


/home/ is a symlink to /usr/home/ on FreeBSD 



> In my case, would I be able to just re-partition /usr  and create a new partition for /usr/home as well or is it set in stone already?


Nothing is ever set in stone, yes, you could do that.


----------



## z662 (May 13, 2011)

Heh, I see that now, thanks for pointing that out.  I plan on trying to take care of this over the weekend, I'll post an update over the next few days assuming I get time to attempt this again.


----------



## SirDice (May 13, 2011)

Good luck :beer


----------



## z662 (May 13, 2011)

Thanks, one more question about /home.  Since it is a symlink, if I created a separate partition for it, how would that work?  Would it actually create a partition just for /home or would it actually partition it for /usr/home

Would there be any issues/complications with doing that?

Just trying to take the easiest and most sane approach so I can avoid wasting a lot of time as my system is basically already done and I dont want to have to format it.  At the same time I am not sure I feel comfortable re-sizing the partition.  My files are backed up of course but if I have to wipe the partition might as well just do a fresh install anyway.  I dont know....


----------



## SirDice (May 13, 2011)

z662 said:
			
		

> Thanks, one more question about /home.  Since it is a symlink, if I created a separate partition for it, how would that work?  Would it actually create a partition just for /home or would it actually partition it for /usr/home


It all depends on where you mount it.



> Would there be any issues/complications with doing that?


If I'm not mistaken adduser(8) for instance assumes the home directories are on /usr/home/. The /home/ symlink was created because that seems to be the standard place on Linux. I've always mounted the extra filesystem on /usr/home/ and never had any issues.


----------



## z662 (May 13, 2011)

I'll just go the safe route and do as you did then because I can't imagine everything working as expected with a separate partition for /home without then making /usr/home a symlink (reverse of what it is now), plus having to change other things like how the system knows where to look for my home directory stuff and shell variables etc.  Might be completely wrong about all that but either way not worth the risk since FreeBSD was designed to have your home stuff stored in /usr/home.  

Anyone that has more insight into this topic (or if you would like to chime in more Dice) please feel free to do so.  Always thirsty for more knowledge


----------



## SirDice (May 13, 2011)

In the end it really doesn't matter where you mount it. As long as the homedir field in /etc/passwd points to the right directory for your users. Most of my user accounts are in /usr/home/ but I also have a "transmission" user with a home directory on a completely different filesystem (/storage/transmission/).


----------



## bbzz (May 13, 2011)

Didn't they change that in version 6.x or something? /home used to be symlink by default but now its separate partition? Well you could still make it however you want it. There could be some advantages to using separate partition/filesystem for /home; I'm not sure what drawback are there if any.


----------



## z662 (May 14, 2011)

I think I am close, but not quite there.  I re-installed and re-partitioned my drive, I took the default partitions but then added /usr/home to be a separate partition (the one I want to encrypt).  I followed the instructions in the handbook basically down to a T, but any reference to da2 I replaced with ad4s1g.  I added the following to my rc.conf

```
geli_devices="ad4s1g"
geli_ad4s1g_flags="-p -k /root/hdd.key"
```

And added the following to my loader.conf

```
geom_eli_load="YES"
```

I then modified my /etc/fstab to have 
	
	



```
/dev/ad4s1g.eli
```
 in there (it was just /dev/ad4s1g after installing)  Not sure if I should have done that step or not...

I have posted a picture of the error messages on my webserver:  (link removed by BACK)


----------



## bes (May 14, 2011)

```
geli_ad4s1g_flags="-p -k /root/hdd.key"
```
This can only be used if -P was given during the geli init phase.


----------



## z662 (May 14, 2011)

Thank you!  That did the trick.  Shouldn't that be removed from the handbook as the *geli init* command used in the handbook does not include the -p flag?  

The only thing that does not seem correct is now when I login and *cd* the system thinks my homedir is /root  Why?  How can I fix it so it defaults to the normal behavior of /usr/home?


----------



## bes (May 14, 2011)

> ..handbook does not include the -p flag?


To use passphrase:

```
geli_ad4s1g_flags="-k /root/hdd.key"
```


----------



## z662 (May 15, 2011)

I was referring to the *geli init* command.


----------

