Create Encrypted File System on FreeBSD using GELI

Synopsis

This document describes how to encrypt a file system on FreeBSD using GELI with 256bit AES-CBC encryption. See the GELI(8), MDCONFIG(8) and NEWFS(8) manual pages for more detailed description of the commands and parameters.

This example will use a memory disk, however if you're using a physical disk then skip step 1. and substitute /dev/md0 with your disk's DSF.

For improved performance enable AESNI(4).

Description

If a memory disk is to be used then this needs to be created first. The following commands create a 10GB file and then a vnode DSF /dev/md0:

# dd if=/dev/zero of=/usr/geli.vol bs=1M count=10240
# mdconfig -a -t vnode -f /usr/geli.vol -u 0

The first step in creating an encrypted file system is to generate an encryption key. The following creates a 256bit key:

# dd if=/dev/urandom of=/geli.key bs=1 count=256

The disk is then initialised using the above encryption key and then password protected:

# geli init -e AES-CBC -l 256 -s 4096 -K /boot/geli.key /dev/md0
> password

Decrypt the disk:

# geli attach -d -k /boot/geli.key /dev/md0
> password

If the disk has just been initialised then a new file system must be created prior to mounting:

# newfs -U /dev/md0.eli

Finally, mount the decrypted file system:

# mount /dev/md0.eli /mnt

To auto-decrypt the device at boot time, add the following to /etc/rc.conf.local:

geli_devices="md0"
geli_md0_flags="-k /boot/geli.key"

You'll need to input the password with each boot.

Copyright 2018