Full Disk Encryption using GPT/UEFI/GELI on FreeBSD


Synopsis

Full disk encryption will prevent unauthorised access to the stored data at rest and should be used on any system that does not have physical security, such as laptops, home/office servers and workstations; and VPS services.

It's important to note that the system administrators of any VPS service can still get full access to your data. Encrypting the disk eliminates the simplicity of copying it.

[top]

Requirements

The FreeBSD installation media.

This document will reference ada0 as the primary disk.

When using newfs, the -t flag is to enable trim on Solid State Drives. Omit this flag if it's not necessary.

[top]

Boot FreeBSD Installer

The entire installation will be performed via the command line, therefore boot from your chosen FreeBSD installation media and select Shell when presented with the main installer menu.

[top]

Create Disk Partition Table

Create Partition Scheme

gpart create -s gpt ada0

Create UEFI Partition

gpart add -t efi -s 800K ada0
dd if=/boot/boot1.efifat of=/dev/ada0p1

Create /boot Partition

The /boot partition remains unencrypted as it stores the bootstrap programs and configuration files. A partition size of 1G will allow for multiple kernels.

gpart add -t freebsd-ufs -s 1G ada0
newfs -Ut /dev/ada0p2

Create GELI Partition

gpart add -t freebsd ada0

Initialise GELI Partition

The geli init command will prompt to set the password. It's important to include the -b parameter as this ensures a prompt for the password at boot.

geli init -e AES-CBC -l 256 -s 4096 -b /dev/ada0s3
geli attach /dev/ada0s3

[top]

Create GELI Partition Table

Create Partition Scheme

gpart create -s bsd ada0s3.eli

Create UFS Partitions

The following partition structure is /, swap, /var and /usr.

I don't create a /tmp partition as I prefer to use a tmpfs file system, and when creating Virtual Machines I also exclude the swap partition and opt for a swap file.

gpart add -t freebsd-ufs -s 1G /dev/ada0s3.eli
gpart add -t freebsd-swap -s 2G /dev/ada0s3.eli
gpart add -t freebsd-ufs -s 2G /dev/ada0s3.eli
gpart add -t freebsd-ufs /dev/ada0s3.eli

Create UFS File Systems

newfs -Ut /dev/ada0s3.elia
newfs -Ut /dev/ada0s3.elid
newfs -Ut /dev/ada0s3.elie

[top]

Mount File Systems

The /bootx directory is for mounting the unencrypted /boot partition.

mount /dev/ada0s3.elia /mnt
mkdir /mnt/var /mnt/usr /mnt/bootx
chmod 700 /mnt/bootx
mount /dev/ada0p2 /mnt/bootx
mount /dev/ada0s3.elid /mnt/var
mount /dev/ada0s3.elie /mnt/usr
chmod 700 /mnt/bootx

[top]

Install FreeBSD

cd /usr/freebsd-dist
export DESTDIR=/mnt
for file in base.txz kernel.txz; do
 cat $file | tar --unlink -xpJf - -C ${DESTDIR:-/}
done

[top]

Configure Boot

Add the following lines to /mnt/boot/loader.conf.

aesni_load="YES"
geom_eli_load="YES"
vfs.root.mountfrom="ufs:/dev/ada0s3.elia"

Add the following lines to /mnt/etc/fstab.

/dev/ada0s3.elia / ufs rw 1 1
/dev/ada0s3.elib none swap sw 0 0
/dev/ada0s3.elid /var ufs rw 2 2
tmpfs /tmp tmpfs rw,mode=01777,size=1048576000 0 0
/dev/ada0s3.elie /usr ufs rw 2 2
/dev/ada0p2 /bootx ufs rw 2 2

[top]

Synchronise /boot

All changes to /boot need to be synchronised to the /bootx file system.

cp -Rvp /mnt/boot /mnt/bootx/

The following script will need to be run whenever changes to /boot occur, which includes when installing a new kernel.

echo -e '#!/bin/sh\n/bin/cp -Rvp /boot /bootx/' > /syncboot.sh
chmod 700 /syncboot.sh

[top]

Unmount and Reboot

Unmount File Systems

umount /mnt/usr
umount /mnt/var
umount /mnt/bootx
umount /mnt

Reboot

shutdown -r now

[top]

References

The following web sites were used as references:

[top]

Copyright 2018