Instantly share code, notes, and snippets.

Embed
What would you like to do?
Simple HOWTO of creation an encrypted ZFS pool under FreeBSD using geli + 256-bit AES-XTS encryption + a 4 kb random data partial key and a secondary passphrase (required to type on each boot).
root@rizzo ~$ uname -a
FreeBSD rizzo.heimdall.pl 9.1-RELEASE FreeBSD 9.1-RELEASE #0: Wed Mar 13 21:02:32 CET 2013 root@rizzo.heimdall.pl:/sys/amd64/compile/rizzo amd64
root@rizzo ~$ kldload opensolaris
root@rizzo ~$ kldload zfs
root@rizzo ~$ kldload geom_eli
root@rizzo ~$ gpart destroy -F da0
da0 destroyed
root@rizzo ~$ gpart create -s gpt da0
da0 created
root@rizzo ~$ gpart add -t freebsd-zfs -a 4096 da0
da0p1 added
root@rizzo ~$ mkdir /boot/encryption
root@rizzo ~$ dd if=/dev/random of=/boot/encryption/storage.key bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes transferred in 0.000111 secs (36945955 bytes/sec)
root@rizzo ~$ geli init -b -B /boot/da0p1.eli -e AES-XTS -K /boot/encryption/storage.key -l 256 -s 4096 /dev/da0p1
Enter new passphrase:
Reenter new passphrase:
Metadata backup can be found in /boot/da0p1.eli and
can be restored with the following command:
# geli restore /boot/da0p1.eli /dev/da0p1
root@rizzo ~$ geli attach -k /boot/encryption/storage.key /dev/da0p1
Enter passphrase:
root@rizzo ~$ zpool create storage /dev/da0p1.eli
root@rizzo ~$ zfs set mountpoint=/storage storage
root@rizzo ~$ zfs create storage/movies
root@rizzo ~$ zfs create storage/music
root@rizzo ~$ zfs create storage/others
root@rizzo ~$ zfs set mountpoint=/storage/movies storage/movies
root@rizzo ~$ zfs set mountpoint=/storage/music storage/music
root@rizzo ~$ zfs set mountpoint=/storage/others storage/others
root@rizzo ~$ echo 'zfs_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'aesni_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'geom_eli_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'geli_da0p1_keyfile0_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'geli_da0p1_keyfile0_type="da0p1:geli_keyfile0"' >> /boot/loader.conf
root@rizzo ~$ echo 'geli_da0p1_keyfile0_name="/boot/encryption/storage.key"' >> /boot/loader.conf
root@rizzo ~$ shutdown -r now
Done!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment