# HOWTO: Encrypting Virtual Disks



## phil10 (Dec 20, 2010)

I recently faced a problem where i wanted to encrypt partitions where FreeBSD already was installed on. The alternative to erasing all of your disks is to use Virtual Disks.

Create a virtual disk with a blocksize of 4096

```
% dd if=/dev/zero of=imageFile bs=4k count=<count of 4k blocks>
```

Create a file backed device

```
# mdconfig -a -t vnode -f imageFile -u 0
```

Now for the configuration of the geli(1) tool.

Fetch some random data to encrypt the master key with

```
# dd if=/dev/random of=/root/md0.key bs=64 count=1
```

Init the device with geli (question for passphrase here)

```
# geli init -s 4096 -K /root/md0.key /dev/md0
```

attach geli with the key to the newly created device

```
# geli attach -k /root/md0.key /dev/md0
```

This will create a device called /dev/md0.eli which is used in all future commands.

Create a new filesystem on the virtual disk

```
# newfs /dev/md0.eli
```

Mount the disk

```
# mount /dev/md0.eli <mountpoint>
```

Now you can use the disk, do whatever you want with it.

To securely unmount the device

```
# umount <mountpoint>
# geli detach md0.eli
```

To restore from your metadata backups, for example if you accidentially cleared the device with geli(1).

```
# geli restore /var/backups/md0.eli /dev/md0
```

Detach the memory disk completely from the system

```
# mdconfig -d -u 0
```

That's about it, with these simple commands you can create, encrypt and use a virtual memory disk.
For further reading about memory disks in FreeBSD please refer to Virtual Disks.

Here are two really simple shell scripts that will take care of mounting and unmounting the created memory disks:
mountImage.sh

```
#!/bin/sh
# Basic script to mount memory disks

mountImage()
{
	dev=$1
	dir=$2
	echo "mounting $dev at $dir"
	mount $dev $dir
}

echo "Give me the name of the image to mount"
read image

echo "Where to mount it?"
read mountDir

echo "Where is the geli key?"
read geliKey

baseDevice="/dev/md"

# get the first free minor number to mount it to
for minorNumber in 0 1 2 3 4 5 6 7 8 9 10
do
	device=$baseDevice$minorNumber
	if [ -e $device ]
	then
	else
		echo "Found free device $device"
		break
	fi
done

echo "Using $device to mount $image"

mdconfig -a -t vnode -f $image -u $minorNumber

exitStatus=$?
if [ $exitStatus -eq 0 ]
then
	echo "Created $device from $image"
	geli attach -k $geliKey $device
	if [ $? -eq 0 ]
	then
		mountImage $device".eli" $mountDir
	fi
fi
```

and
umountImage.sh

```
#!/bin/sh

echo "What dir to unmount?"
read umountDir

echo "What device to detach with geli? (md0, md1, ...)"
read geliDevice

echo "Whats its minornumber? (0, 1, ...)"
read minor

umount $umountDir

device="/dev/"$geliDevice".eli"

if [ -e $device ]
then
	geli detach $device

	mdconfig -d -u $minor
fi
```


----------

