# Encrypting Disk Partitions



## phil10 (Dec 20, 2010)

Hello there,

i have recently installed FreeBSD and would like to encrypt my already setup disk partitions. Reinstalltion should not be an option in my case as i would like to use my created partitions as encrpyted ones.

My Layout looks like this:

```
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/ad6s1a    2.9G    512M    2.2G    19%    /
devfs          1.0K    1.0K      0B   100%    /dev
/dev/ad6s1e    1.9G     14K    1.8G     0%    /tmp
/dev/ad6s1f    893G    132G    690G    16%    /usr
/dev/ad6s1d    1.9G     98M    1.7G     5%    /var
```

I found the corresponding page in the handbook http://www.freebsd.org/doc/handbook/disks-encrypting.html where it says you need to insert a new hard drive for the setup to work.

Any suggestions?

Best regards, phil10


----------



## graudeejs (Dec 20, 2010)

You will need to reformat your partitions.
As long as you can copy stuff on your disks somewhere else you're OK.


The questions is what exactly do you want to encrypt?
If you want to encrypt everything, I would suggest to encrypt entire disk, and then repartition encrypted disk and format slices.


What ever you do encryption will ruin FS on slice/partition/label/disk (whatever you encrypt), so you will have to reformat, repartition etc.... your drive


----------



## phil10 (Dec 20, 2010)

Actually i only need to encrypt one partition, not the whole system. Preferable would be the /usr partition.

Knowing that there are the /home folders and my whole ports tree + the kernel configurations, how should the procedure of encrypting /usr look like?

Somewhat like that?

Backup everything in /usr
Format /usr using geli
Move my stuff back into encrypted /usr

Best regards


----------



## graudeejs (Dec 20, 2010)

phil10 said:
			
		

> Actually i only need to encrypt one partition, not the whole system. Preferable would be the /usr partition.
> 
> Knowing that there are the /home folders and my whole ports tree + the kernel configurations, how should the procedure of encrypting /usr look like?
> 
> ...


Ye something like that:


* make sure geom_eli is either loaded as module (/loader.conf or compiled in kernel
* Backup /usr
* umount /usr
* Init geli on /dev/ad6s1f
* activate geli on /dev/ad6s1f
* format /usr (/dev/ad6s1f.eli)
* mount /dev/ad6s1f.eli to /usr
* restore from backups
* fix /etc/fstab (replace /dev/ad6s1f with /dev/ad6s1f.eli)
* adjust /loader.conf so /usr is available when kernel is loaded, and you start to load daemons etc

However I would do it differently. I'd encrypt either everything, or only /home
I don't like /usr/sbin and /usr/bin and such stuff encrypted, when rest of the base is unencrypted. (maybe that can cause problems when you run single user mode [frankly I don't remember, because I haven't used single user mode for quite some time])

Anyway, as long as you have key/passphrase you should be ok


----------



## phil10 (Dec 20, 2010)

Thanks for the quick reply! Only encrypting /home seems like a good idea to me too, because all of my sensitive data resides there.

The problem is that i don't know how to encrypt /home only, as this is just a subfolder of the /usr partition.
Do you know how i would do that?

A thing to keep in mind is that i access the machine via ssh, and sshd is in /usr/sbin. I could log onto a terminal locally, but this would be a complicated thing to do.


----------



## graudeejs (Dec 20, 2010)

You will need to repartition your HDD and make new partition for /home
So it's not possible via ssh probably (I wouldn't risk)

You can however make quick and dirty hack until you have physical access to machine (if ever)
You can make disk image and encrypt it, then you could write custom rc script, to mount your /home (this could be complicated)
Or you can do same, but only store sensitive data in such "virtual disk", this way you can mount it manually (mdconfig, geli and mount)

All in all, I don't recommend messing with encryption over ssh


----------



## graudeejs (Dec 20, 2010)

Also I'd like to note that in FreeBSD-9 or maybe even in FreeBSD-8.2 (or 3), there will be improved encryption (It will be improved because it wont use single key to encrypt entire disk, but instead will use array of keys)


----------



## phil10 (Dec 20, 2010)

killasmurf86 said:
			
		

> Or you can do same, but only store sensitive data in such "virtual disk", this way you can mount it manually (mdconfig, geli and mount)
> 
> All in all, I don't recommend messing with encryption over ssh



This sounds very reasonable. I didn't know it was possible to create memory disks in FreeBSD like that. I believe the mdconfig procedure would be similar to the one you described above, except that i will have to create a device with mdconfig, mount it and then run geli over it, right?


----------



## phil10 (Dec 20, 2010)

I just posted a small HOWTO of what i did here: HOWTO.


----------



## graudeejs (Dec 20, 2010)

So I suppose this thread is solved?


----------



## phil10 (Dec 20, 2010)

killasmurf86 said:
			
		

> So I suppose this thread is solved?



Yup


----------



## graudeejs (Dec 20, 2010)

Edit 1st post, go to advanced mode, and mark thread solved (near thread title)


----------

