# FreeBSD + geli



## graudeejs (Nov 16, 2008)

Today i decided to try and set GELI for most of my system....
I would like to use it for entire disk, but my PC can't load from USB stick, so i will leave root unencrypted....

you can leave only boot, unencrypted, but i find, that in my situation, leaving root unencrypted is better, because if anything i can boot in single user mode without problem...

So as you know geli ain't supported by sysinstall
recently i broke some things on my box, and i wanted to reinstall bsd, so that's why

*Step 0) preparing*
backup your data to some safe place

what do you need?
1x PC
1x HDD
FreeBSD CD or already installed freebsd
patience

*Step 1) Get FreeBSD on disk*
_note: if you got BSD on your disk already, then backup your data, and skip this step_

I installed bare minimum base and kernel
my disk is detected as ad4
ad4s1a - / - 512M
ad4s1b - swap - about 512M
ad4s2d - /usr - 10G
ad4s2e - /var - 1G
ad4s2f - /tmp - 12G
ad4s2g - /home - about 5G
ad4s3d - /home/files - rest of disk


*Step 2) Reboot in single user mode*

Backup /usr and /var to other disk/slice (you will need backups later)

```
$ kldload geom_eli
$ mount -uo rw /
$ mount -a
$ cd /home/files
$ dump -0Lauf /home/files/usr.dump /usr
$ dump -0Lauf /home/files/var.dump /var
$ dump -0Lauf /home/files/root.dump /
$ cd /
$ umount /usr /var /tmp /home/files /home
```

now you may want to sanitarize your disk

```
$ dd if=/dev/random of=/dev/ad4s2 bs=1m
```
you can increase bs to speed things up (i use 16m or 8m, as my disk has 16m buffer)


```
$ echo > /label
$ bsdlabel -R /dev/ad4s2 /label
```
this will clear bsdlabels from ad4s2, this means that you no longer will see
/dev/ad4s2d, /dev/ad4s2e, /dev/ad4s2f, /dev/ad4s2g
Q: Why you'd like to do that?
A: Because we are going to encrypt entire slice /dev/ad4s2



*Step 3) Initialize GELI*
for this one i won't use keyfile, only password

```
$ geli init -b -s 4096 /dev/ad4s2
Enter password 2x
$ geli attach /dev/ad4s2
Enter passwod
```
*-b* means that password should be asked during boot, so that file systems can be mounted when computer starts
This is important thing, so don't forget to type it

*Step 4) Ugly mess with bsdlabel*
you won't probably have editor available
that's why i had t use this very UGLY mess

```
$ bsdlabel -w /dev/ad4s2.eli
$ bsdlabel -A /dev/ad4s2.eli > label
$ geli detach /dev/ad4s2.eli
```
and now repeat step 3 one time, and go straight to step 5 (skip step 4)
This is necessary to know what values to enter for bsdlabel
and you need to repeat step 3, because otherwise you will get warning otherwise
*yes, it sux*

*Step 5) Edit bsdlabel*

```
$ cat /label
```
you should see something like this:

```
# /dev/ad4s2.eli:
2 partitions:
#        size   offset    fstype   [fsize bsize bps/cpg]
  a:  7600751        2    unused        0     0
  c:  7600753        0    unused        0     0         # "raw" part, don't edit
```
echo line that starts with c:



```
$ echo 'c: 7600753 0 unused 0 0' > /label
$ echo 'd: 10G * 4.2BSD' >> /label
$ echo 'e: 1G * 4.2BSD' >> /label
$ echo 'f: 12G * 4.2BSD' >> /label
$ echo 'g: * * 4.2BSD' >> /label
$ bsdlabel -R /dev/ad4s2 /label
```
This will make partition for /tmp (10G), /var (1G), /tmp (12G), /home (rest)

*Step 6) newfs and mount*

```
$ newfs -U /dev/ad4s2.elid
$ newfs -U /dev/ad4s2.elie
$ newfs -U /dev/ad4s2.elif
$ newfs -U /dev/ad4s2.elig
$ mount /dev/ad4s2.elid /usr
$ mount /dev/ad4s2.elie /var
$ mount /dev/ad4s2.elif /tmp
$ mount /dev/ad4s2.elig /home
```

*Step 7) restore files*

```
$ mkdir /home/files
$ mount /dev/ad4s3d /home/files
$ cd /usr
$ restore -rf /home/files/usr.dump
$ cd /var
$ restore -rf /home/files/var.dump
```

*Step 8) edit files*
you need to edit /etc/fstab
for this, i did

```
$ mv /etc/fstab /etc/fstab.bak
$ cat /etc/fstab.bak
```
and using echo manually wrote new /etc/fstab

fstab





```
# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2[color="red"].eli[/color]g		/home		ufs	rw			2 2
/dev/ad4s3d		/home/files	ufs	rw			2 2
/dev/ad4s2[color="red"].eli[/color]f		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2[color="red"].eli[/color]d		/usr		ufs	rw			2 2
/dev/ad4s2[color="red"].eli[/color]e		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
[I]#I've marked changes in red[/I]
```


next thing is to load geli during boot, because i'm using generic kernel

```
$ echo 'geom_eli_load="YES"'>> /boot/loader.conf
```

*Step 9) reboot*
you should be able to reboot in multiuser mode without problems....

*Step 10) encrypt swap*
turn off swap

```
$ swapoff /dev/ad4s1b
```

again you may want to sanitarize your swap and /dev/ad4s3

```
$ dd if=/dev/random of=/dev/ad4s1b bs=1m
```

Now let's encrypt and mount swap

```
$ geli onetime -d -e 3des /dev/ad4s1b
$ swapon /dev/ad4s1b.eli
```
you need to edit your /etc/fstab

```
# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b[color="red"].eli[/color]		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3d		/home/files	ufs	rw			2 2
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
[I]#I've marked changes in red[/I]
```

you'll also need to add folowing line to you /etc/rc.conf

```
geli_swap_flags="-d -e 3des"
```


*Step 11) encrypt /dev/ad4s3*
unmount, sanitarize, and clear labels

```
$ umount /dev/ad4s3d
$ dd if=/dev/random of=/dev/ad4s3 bs=1m
$ echo > /label
$ bsdlabel -R /dev/ad4s3 /label
```

make 128bytes key

```
$ dd if=/dev/random of=/root/files.key bs=128 count=1
```

initialize geli (this will use keyfile and password)
I don't want to mount it at boot, so that's why i don't use -b option

```
$ geli init -s 4096 -K /root/files.key /dev/ad4s3
enter password 2x
$ geli attach -k /root/files.key /dev/ad4s3
enter password
```

now, there are 2 choices
a) you can newfs -U /dev/ad4s3.eli and use it as is....
b) you can make labels for /dev/ad4s3.eli (as i understand this is better, but i'm not sure)

*Step 11.a)*

```
$ newfs -U /dev/ad4s3.eli
$ mount /dev/ad4s3.eli /home/files
```

edit fstab

```
# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b.eli		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3[color="red"].eli[/color]		/home/files	ufs	rw[color="red"],noauto		0 0[/color]
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
[I]#I've marked changes in red[/I]
```

*Step 11.b)*
do the same thing as in step 4
and the reinitialize geli, for /dev/ad4s3 (step 11), you don't need to generate new key
and then do same thing as in step 5, but
this time you only need to add one label (d: )

```
$ echo 'c: 7600753 0 unused 0 0' > /label
$ echo 'd: * * 4.2BSD' >> /label
$ bsdlabel -R /dev/ad4s3.eli /label
$ newfs -U /dev/ad4s3.elid
```
2nd line, will make sure, that you use all space on slice for label d

now edit fstab

```
# Device		Mountpoint	FStype	Options		     Dump Pass#
/dev/ad4s1b.eli		none		swap	sw			0 0
/dev/ad4s1a		/		ufs	rw			1 1
/dev/ad4s2.elig		/home		ufs	rw			2 2
/dev/ad4s3[color="red"].eli[/color]d		/home/files	ufs	rw[color="red"],noauto		0 0[/color
/dev/ad4s2.elif		/tmp		ufs	rw,noatime,async	2 2
/dev/ad4s2.elid		/usr		ufs	rw			2 2
/dev/ad4s2.elie		/var		ufs	rw			2 2
/dev/acd0		/cdrom		cd9660	ro,noauto		0 0
[I]#I've marked changes in red[/I]
```

*Attaching /home/files)*
next time you reboot, to attach /home/files as root type:

```
$ geli attach -k /root/files.key /dev/ad4s3
enter password
$ mount /home/files
```

and that seams to be it

*NOTE*
Don't forget passwords
and don't lose key
keep key in safe place (usb stick perhaps)
make backup for key, just in case
it's possible to leave only /boot unencrypted, but for that you might need another HDD
also it is possible to encrypt entire disk, but then you need usb stick with /boot on it, and pc that can boot from flash

to those who wonder, why swap is encrypted separately?
That's because, i don't need password for swap encryption.
it will use one time encryption... so there is no way to decrypt that
Also if necessary you modify it and use it elsewhere later (for example create d: partion)


*Resources*
man geli
Handbook 18.16.2
handbook 18.17


I hope this was useful for someone...
if you got questions, ask, i will answer....

and if anyone have better idea, how to avoid, annoying step 4, let me know


----------



## graudeejs (Nov 16, 2008)

*UPDATE: 1*
When you unmount encrypted drive, it will still be accessible (with dd for example)
you need to detach it

```
geli detach /dev/ad0s1f.eli
```

And here's important stuff:
if you use encrypted usb stick.....
don't forget to detach it after you unmount it.....
failing to do so will/may cause panic
this is for everything....
probably including disk images


*UPDATE: 2*


			
				Carpetsmoker said:
			
		

> You can also use a image instead of a ``real'' filesystem, for example on FreeBSD:
> 
> First create a image, 100MB in this case:
> 
> ...



Before you use 

```
# mdconfig -du0
```
to detach device (file in this case), as suggested by Carpetsmoker
make sure you use *geli detach*

```
geli detach /dev/md0.eli
```
For reasons read update 1

*UPDATE: 3*
At step 4, you my tray to skip *geli detach* and continue to step 5 and 6, if there are no weird errors (i had some), if you get errors fall back to this guide (in short to step 4,3,5,6...)

so if you get errors do, 1,2,3,4,3,5,6,7,8,9,10,11
if you don't get errors do 1,2,3,4,5,6,7,8,9,10,11

_If you feel confused, ignore this update, and pm me (or make post)..... i'll se if i can improve things)_



Another good source:
http://bge-tard.blogspot.com/2007/09...on-system.html


----------



## keramida@ (Nov 17, 2008)

*another guide for geli & zfs*

Rink Springer has also posted a nice mini-guide for setting up geli encryption and ZFS with a small unencrypted "/boot" slice.  His post is online at his weblog:

http://rink.nu/entry.php?id=105

It's not a comprehensive guide that attempts to cover all the corner-cases or to cater to, say, Eric Raymond's famous aunt, but more like a "braindump".  But I liked it a lot ;-)


----------



## taromaru (Nov 17, 2008)

keramida@ said:
			
		

> Rink Springer has also posted a nice mini-guide for setting up geli encryption and ZFS with a small unencrypted "/boot" slice.  His post is online at his weblog:
> 
> http://rink.nu/entry.php?id=105
> 
> It's not a comprehensive guide that attempts to cover all the corner-cases or to cater to, say, Eric Raymond's famous aunt, but more like a "braindump".  But I liked it a lot ;-)



I also found this guide useful. According to the description this document helps getting:

a FreeBSD installation on an AES265 encrypted root filesystem using GELI. In this example 6.2 was used, other version may work similar. To have a complete bootable system on one harddisk, two partitions will be used. A small unecrypted boot partition with the kernel and a second partition which holds the encrypted root filesystem.​
I may give it a try, as one of those mimi-guides says... you never know when an encrypted FS can become handy 

Keep up he good work guys, thank you killasmurf86!


----------



## Watermelon (Nov 20, 2008)

hi,
another good tutorial which also describes how to use an usb.thumb as boot device....
http://www.proportion.ch/index.php?page=31

i i.e. use dualboot xp and freebsd have both encryptet entirely.
i boot from an usb drive which contains the truecrypt mbr(xp) and the freebsd boot data

regards watermelon


----------



## malcarada (Nov 29, 2008)

That is great! Thank you to for explaining Geli so clearly!


----------



## graudeejs (Nov 30, 2008)

hmm, about editing BSD labels, you can (should be able to) use /rescue/vi (but you need to name direct path or set path variable for executables)
Why didn't i thought of it


----------

