Harddisk Encryption with Geli

This is a tutorial to guide you through the setup of a fully encrypted laptop with FreeBSD, Geli, and a separate boot/key flash drive.

Requirements

You need the following items:

Preparations

We start with a running installation of FreeBSD. If you do not know how to do that, please follow the Handbook and install the current version of FreeBSD onto your laptop.

If you prefer not to install FreeBSD first, just boot the laptop with a second USB flash drive that contains memstick.iso and select Shell in the start menu to get to a working shell for later use.

USB Key

The USB flash drive acts as a boot loader for the encrypted laptop and at the same time as the holder of one of the keys required in Geli (the other one will be your personal passphrase).

  1. Plugin your USB flash drive
  2. (Optional) Erase everything on the drive by typing

    # dd if=/dev/zero of=/dev/da0 count=125304832
    

    You have to adjust the count line by the number of blocks available on the USB drive. Check that by looking at the end of the messages log:

    # tail /var/log/messages
    

    The first line above overwrites everything with zeros. Finally using the latter command, you overwrite everything again with random numbers to make it hard for an attacker to distinguish which part is random and which part is actually encrypted.

  3. Create partitions:

    # gpart create -s gpt da0
    # gpart add -t efi -s 800K da0
    # gpart add -t freebsd-ufs da0
    
    # newfs -U -L Key /dev/da0p2
    
  4. Mount the USB drive and install FreeBSD on it:

    # mount /dev/da0p2 /mnt
    # cd /usr/src
    # make DESTDIR=/mnt installworld
    # make DESTDIR=/mnt distribution
    # make DESTDIR=/mnt installkernel
    
  5. Install the EFI boot loader code:

    # dd if=/mnt/boot/boot1.efifat of=/dev/da0p1
    
  6. Put FreeBSD partition into fstab for mounting correctly:

    # echo "/dev/da0p2 / ufs rw 1 1" >> /mnt/etc/fstab
    
  7. Copy the system to the USB drive for later installation on the new laptop:

    # cp kernel.txz /mnt/root/
    # cp base.txz /mnt/root/
    
  8. Unmount flash drive:

    # umount /mnt
    

Laptop

Now, we are ready to install FreeBSD on our Laptop from the newly created USB flash drive.

  1. Plugin your USB flash drive and boot the laptop.
  2. Use root to log in (without any password).
  3. Delete the harddisk:

    # dd if=/dev/random of=/dev/ada0 bs=1m
    
  4. Partition harddisk:

    # gpart create -s gpt ada0
    # gpart add -t freebsd-swap -b 1m -s 8g nvd0
    # gpart add -t freebsd-zfs -a 1m nvd0
    
  5. Encrypt swap partition:

    # echo "/dev/ada0p1.eli none swap sw 0 0" >> /mnt/etc/fstab
    
  6. Encrypt ZFS partition:

    # kldload geom_eli
    # dd if=/dev/random of=/root/nvd0.key bs=256 count=1
    # chmod 400 /root/nvd0.key
    
    # geli init -b -B /root/backup.eli -K /root/ada0.key -s 4096 /dev/ada0p2
    # geli attach -k /root/ada0.key /dev/ada0p2
    
  7. Add ZFS pool:

    # zpool create tank /dev/nvd0p2.eli
    # zfs create tank/tmp
    # zfs create tank/usr
    # zfs create tank/usr/home
    # zfs create tank/usr/ports
    # zfs create tank/usr/ports/distfiles
    # zfs create tank/usr/src
    # zfs create tank/var
    # zfs create tank/var/cache
    # zfs create tank/var/cache/pkg
    # zfs create tank/var/crash
    # zfs create tank/var/db
    # zfs create tank/var/db/pkg
    # zfs create tank/var/empty
    # zfs create tank/var/log
    # zfs create tank/var/mail
    # zfs create tank/var/run
    # zfs create tank/var/tmp
    
    
  8. Install FreeBSD on the newly created ZFS pool:

    # cd /tank
    # unxz -c /root/base.txz | tar xvpf -
    # unxz -c /root/kernel.txz | tar xvpf -
    
  9. Load the keyfile at boot time:

    # echo geom_eli_load=\"YES\" >> /boot/loader.conf
    # echo geli_ada0_keyfile0_load=\"YES\" >> /boot/loader.conf
    # echo geli_ada0_keyfile0_type=\"ada0:geli_keyfile0\" >> /boot/loader.conf
    # echo geli_ada0_keyfile0_name=\"/root/ada0.key\" >> /boot/loader.conf
    # echo vfs.root.mountfrom=\"zfs:tank\" >> /boot/loader.conf
    
  10. Create fstab to mount encrypted harddisk and load swap drive

    # echo "/dev/ada0p1.eli none swap sw 0 0" >> /etc/fstab
    
  11. Set ZFS mountpoints:

    # zpool set bootfs=tank tank
    # zfs set mountpoint=/ tank
    # zfs set mountpoint=/tank/tmp tank/tmp
    # zfs set mountpoint=/tank/usr tank/usr
    # zfs set mountpoint=/tank/var tank/var
    
  12. Create rc.conf

    # echo zfs_enable=\"YES\" >> /etc/rc.conf
    
  13. Copy files to ZFS file system

    # cp /etc/rc.conf /tank/etc/rc.conf
    # cp /etc/fstab /tank/etc/fstab
    # cp /boot/loader.conf /tank/boot/loader.conf
    
  14. Reboot

    # reboot