Encrypt Your FreeBSD Home Partition

Sometimes you need to encrypt your home (and maybe swap) partition so it  will not be available until you input a password and/or use a key. For example if your company have valuable data/documents that must be protected from thieves. Other case could be for encryption of Laptops/Notebooks computers which often are lost or stolen.

The downside do this it a decrease of performance of your system.

This tutorial is about encrypting your home partition of a FreeBSD server or desktop, using GELI.

Warning! Before trying this tutorial, backup your data. We are not responsable for your lost data.

Note. If you really are into security you should also consider encrypting swap partition.


Step 1. Install FreeBSD, creating a dedicated home partition
------------------------------------------------------------

Install FreeBSD standard (usual way) but also create a dedicated partition for /home.
So you will have for example:

/dev/ad0s1a          /        (root partition)
/dev/ad0s1b         swap  (swap partition
/dev/ad0s1d         /var    (var partition)
/dev/ad0s1e         /tmp    (tmp partition)
/dev/ad0s1f         /home  (home partition)
/dev/ad0s1g        /usr      (/usr partition)

Note that ad0s1f is our home partition that we will encrypt. If you already have your system installed without your home partition if you have enough free space on your hard drive you still will be able to create it, or if you you can use a second hard drive for your /home partition. In both cases if you use an already created home partition, backup your data from that partition because it will be lost.


Step 2. Compile FreeBSD kernel with GELI support
--------------------------------------------------

Go to your kernel configuration file directory and add lines to support GELI

cd /usr/src/sys/i386/conf/
cp GENERIC SERVER
edit SERVER

and add the following lines:

options GEOM_ELI
device crypto

After that recompile the kernel and install the kernel.

cd /usr/src
make -j4 buildkernel KERNCONF=SERVER
make installkernel KERNCONF=SERVER

At this point kernel is compiled and installed with support for GELI. We will not reboot yet the machine, we have other configurations to do in next steps that require reboot, so we will do that later.

If you do not want to recompile the kernel it is possible to load GELI module at boot by adding the following line to your /boot/loader.conf (add the following line only if you do not want to recompile the FreeBSD Kernel):

geom_eli_load="YES"


Step 3. Create a key for your home partition
--------------------------------------------

We will create a directory /etc/geli where we will store our key. Then we will create a random key that will be used for encryption using /dev/random.

mkdir /etc/geli
dd if=/dev/random of=/etc/geli/server.key bs=64 count=1


Step 4. Encrypt partition and create filesystem for it
----------------------------------------------------

Now we will backup /home partition and then we will unmount /home partition

umount /dev/ad0s1f

If you get a busy error message, use:

umount -f /dev/ad0s1f

Next we will init the partition for GELI encryption and we will attach the partition using server.key file from /etc/geli directory.

You will be prompted to setup a for a password, fill in your password there:

geli init -l 256 -K /etc/geli/server.key /dev/ad0s1f
(note that -l 256 will setup a 256 key encryption length)

geli attach -k /etc/geli/server.key /dev/ad0s1f
(you will use the password you've setup when you've init the partition using geli init)

After this process you now have an encrypted partition.

Only you want to wipe all informations before creating file system for encrypted partition with newfs, you can use the following command:

dd if=/dev/random of=/dev/ad0s1f.eli bs=1m
(Note that it will take long time to wipe all data. If you do not need to wipe previous data, this can be skipped).

We will now create a FreeBSD file system for our newly encrypted partition:

newfs /dev/ad0s1f.eli
(Note that after attaching encrypted partition you can see if the process went ok by looking for a .eli extension for the partition you've wanted to attach using: ls -la /dev/ad0s1f* ).

Now we can mount our newly created partition:

mount /dev/ad0s1f.eli /home

After successfully creating and mounting an encrypted /home partition we can restore /home data, by copying from backup all files/directories to the new /home.


Step 5. Setup /boot/loader.conf parameters for boot time encryption setup
--------------------------------------------------------------------------------------
Edit /boot/loader.conf file:

edit /boot/loader.conf

and add the following lines:

geli_ad0s1f_keyfile0_load="YES"
geli_ad0s1f_keyfile0_type="ad0s1f:geli_keyfile0"
geli_ad0s1f_keyfile0_name="/etc/geli/server.key"

And save file loader.conf.


Step 6. Setup /etc/rc.conf GELI parameters
--------------------------------------------------

Edit /etc/rc.conf file and add the following lines (edit /etc/rc.conf) :

geli_ad0s1f_keyfile0_load="YES"
geli_ad0s1f_keyfile0_type="ad0s1f:geli_keyfile0"
geli_ad0s1f_keyfile0_name="/etc/geli/server.key"


Step 7. Add a /etc/fstab entry for your encrypted partition
----------------------------------------------------------
Edit /etc/fstab file (edit /etc/fstab) and add the following line:

/dev/ad6s1f.eli         /home           ufs     rw              2       2

Also if you have a line that mount /home, remove that line.


Step 8. Reboot your machine and test the setup
------------------------------------------------

After reboot during boot process, after FreeBSD kernel boots up you will be prompted for a password. Fill in password you've setup when you've init the /home partition and if you've setup everything right it will finish boot process by mounting all partitions included encrypted /home partition.