Those instructions use the Linux dm-crypt (device-mapper) facility available on the 2.6 kernel.

In this example, lets encrypt the partition /dev/sdc1, it could be however any other partition or disk, or USB or a file based partition created with losetup. In this case we would use /dev/loop0. See file image partition. The device mapper uses labels to identify a partition. We use sdc1 in this example, but it could be any string.

dm-crypt with LUKS

LUKS with dm-crypt has better encryption and makes it possible to have multiple passphrase for the same partition or to change the password easily. To test if LUKS is available, simply type #

cryptsetup --help, if nothing about LUKS shows up, use the instructions below Without LUKS.

First create a partition if necessary: fdisk /dev/sdc.

Create encrypted partition

# dd if=/dev/urandom of=/dev/sdc1 # Optional. For paranoids only (takes days)

# cryptsetup -y luksFormat /dev/sdc1 # This destroys any data on sdc1

# cryptsetup luksOpen /dev/sdc1 sdc1

# mkfs.ext3 /dev/mapper/sdc1 # create ext3 file system

# mount -t ext3 /dev/mapper/sdc1 /mnt

# umount /mnt

# cryptsetup luksClose sdc1 # Detach the encrypted partition

Attach

# cryptsetup luksOpen /dev/sdc1 sdc1

# mount -t ext3 /dev/mapper/sdc1 /mnt

Detach

# umount /mnt

# cryptsetup luksClose sdc1

dm-crypt without LUKS

# cryptsetup -y create sdc1 /dev/sdc1 # or any other partition like /dev/loop0

# dmsetup ls # check it, will display: sdc1 (254, 0)

# mkfs.ext3 /dev/mapper/sdc1 # This is done only the first time!

# mount -t ext3 /dev/mapper/sdc1 /mnt

# umount /mnt/

# cryptsetup remove sdc1 # Detach the encrypted partition

Do exactly the same (without the mkfs part!) to re-attach the partition. If the password is not correct, the mount command will fail. In this case simply remove the map sdc1 (cryptsetup remove sdc1) and create it again.

The two popular FreeBSD disk encryption modules are gbde and geli. I now use geli because it is faster and also uses the crypto device for hardware acceleration. See The FreeBSD handbook Chapter 18.68 for all the details. The geli module must be loaded or compiled into the kernel:

options GEOM_ELI

device crypto # or as module:

# echo 'geom_eli_load="YES"' >> /boot/loader.conf # or do: kldload geom_eli

8.http://www.freebsd.org/handbook/disks-encrypting.html

Use password and key

I use those settings for a typical disk encryption, it uses a passphrase AND a key to encrypt the master key.  That is you need both the password and the generated key /root/ad1.key to attach the partition. The master key is stored inside the partition and is not visible. See below for typical USB or file based image.

Create encrypted partition

# dd if=/dev/random of=/root/ad1.key bs=64 count=1 # this key encrypts the mater key

# geli init -s 4096 -K /root/ad1.key /dev/ad1 # -s 8192 is also OK for disks

# geli attach -k /root/ad1.key /dev/ad1 # DO make a backup of /root/ad1.key

# dd if=/dev/random of=/dev/ad1.eli bs=1m # Optional and takes a long time

# newfs /dev/ad1.eli # Create file system

# mount /dev/ad1.eli /mnt

Attach

# geli attach -k /root/ad1.key /dev/ad1

# fsck -ny -t ffs /dev/ad1.eli # In doubt check the file system

# mount /dev/ad1.eli /mnt

Detach

The detach procedure is done automatically on shutdown.

# umount /mnt

# geli detach /dev/ad1.eli

/etc/fstab

The encrypted partition can be configured to be mounted with /etc/fstab. The password will be

prompted when booting. The following settings are required for this example:

# grep geli /etc/rc.conf

geli_devices="ad1"

geli_ad1_flags="-k /root/ad1.key"

# grep geli /etc/fstab

/dev/ad1.eli /home/private ufs rw 0 0

Use password only

It is more convenient to encrypt a USB stick or file based image with a passphrase only and no key. In this case it is not necessary to carry the additional key file around. The procedure is very much the same as above, simply without the key file. Let's encrypt a file based image

/cryptedfile of 1 GB.

# dd if=/dev/zero of=/cryptedfile bs=1M count=1000 # 1 GB file

# mdconfig -at vnode -f /cryptedfile

# geli init /dev/md0 # encrypts with password only

# geli attach /dev/md0

# newfs -U -m 0 /dev/md0.eli

# mount /dev/md0.eli /mnt

# umount /dev/md0.eli

# geli detach md0.eli

It is now possible to mount this image on an other system with the password only.

# mdconfig -at vnode -f /cryptedfile

# geli attach /dev/md0

# mount /dev/md0.eli /mnt

— Encrypt Partitions —

29