# Encrypting a zfs zvol device with gbde



## Alain De Vos (Jun 21, 2021)

Why would you encrypt a zfs zvol device with gbde ? Because you can, and it is easy.
1.You stay away from system,boot&root partitions so you don't have boot problems.
2. Most private data is relative small. And fits in one directory with subdirectories.
Note : zfs allows encryption by itself but this method is more instructive.

Load the kernel module,

```
kldload geom_bde.ko
```
Create the zvol

```
zfs create -V 10G ZPOOL/private
```
Set the volmode

```
zfs set volmode=full ZPOOL/private
```
Make a lock file directory

```
mkdir /etc/gbde
```
Encrypt the device. Enter a passphrase. As blocksize you can choose 4096 which is 512*8

```
gbde init /dev/zvol/ZPOOL/private -i -L /etc/gbde/private.lock
```
Format the encrypted device to UFS

```
newfs -U -j -O 2 /dev/zvol/ZPOOL/private.bde
```
Mount the encrypted device,

```
mkdir /private
mount /dev/zvol/ZPOOL/private.bde /private
```
Set ownership & rwx flags,

```
chown myuser:mygroup /private
chmod 700 /private
```
The encrypted directory /private is ready to be used

A script to attach&mount,

```
/sbin/gbde attach /dev/zvol/ZPOOL/private -l /etc/gbde/private.lock
/sbin/mount /dev/zvol/ZPOOL/private.bde /private
/bin/df -H | /usr/bin/grep private
```

A script to unmount&detatch,

```
/sbin/umount /private
/bin/df -H | /usr/bin/grep private
/sbin/gbde detach /dev/zvol/ZPOOL/private
```


----------



## bob2112 (Jan 3, 2022)

I'm wondering what would happen in case of an uncorrectable error. With zfs native encryption you would only lose one file, but I'm guessing you would lose the whole gbde partition.  

Practically anyone that 's considering the use of gbde should choose geli instead. gbde was introduced in FreeBSD 5 and was, more or less, obsoleted by geli in 6. I don't think it's had any active development in about two decades. geli is much better.

There is a very niche reason for choosing gbde, but IMO the use case is a bit contrived. gbde has a way of destroying key material that can be verified by gbde(8). The idea is that if you are threatened with violence, you can demonstrate that you have made the data permanently inaccessible. Of course that relies on your attacker accepting a lesson in gbde, believing you and also being confident that you haven't hacked gbde(8). 

There is a another way of creating small geli devices that I've found useful. You create a file backed md device and put geli + ufs on that. It's more flexible because you can move the backing file around and back it up without mounting.


----------

