Skip to content

Instantly share code, notes, and snippets.

@kiela kiela/ZFS_geli_freebsd
Last active Apr 2, 2018

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Simple HOWTO of creation an encrypted ZFS pool under FreeBSD using geli + 256-bit AES-XTS encryption + a 4 kb random data partial key and a secondary passphrase (required to type on each boot).
Raw
ZFS_geli_freebsd
root@rizzo ~$ uname -a
FreeBSD rizzo.heimdall.pl 9.1-RELEASE FreeBSD 9.1-RELEASE #0: Wed Mar 13 21:02:32 CET 2013 root@rizzo.heimdall.pl:/sys/amd64/compile/rizzo amd64
root@rizzo ~$ kldload opensolaris
root@rizzo ~$ kldload zfs
root@rizzo ~$ kldload geom_eli
root@rizzo ~$ gpart destroy -F da0
da0 destroyed
root@rizzo ~$ gpart create -s gpt da0
da0 created
root@rizzo ~$ gpart add -t freebsd-zfs -a 4096 da0
da0p1 added
root@rizzo ~$ mkdir /boot/encryption
root@rizzo ~$ dd if=/dev/random of=/boot/encryption/storage.key bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes transferred in 0.000111 secs (36945955 bytes/sec)
root@rizzo ~$ geli init -b -B /boot/da0p1.eli -e AES-XTS -K /boot/encryption/storage.key -l 256 -s 4096 /dev/da0p1
Enter new passphrase:
Reenter new passphrase:
Metadata backup can be found in /boot/da0p1.eli and
can be restored with the following command:
# geli restore /boot/da0p1.eli /dev/da0p1
root@rizzo ~$ geli attach -k /boot/encryption/storage.key /dev/da0p1
Enter passphrase:
root@rizzo ~$ zpool create storage /dev/da0p1.eli
root@rizzo ~$ zfs set mountpoint=/storage storage
root@rizzo ~$ zfs create storage/movies
root@rizzo ~$ zfs create storage/music
root@rizzo ~$ zfs create storage/others
root@rizzo ~$ zfs set mountpoint=/storage/movies storage/movies
root@rizzo ~$ zfs set mountpoint=/storage/music storage/music
root@rizzo ~$ zfs set mountpoint=/storage/others storage/others
root@rizzo ~$ echo 'zfs_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'aesni_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'geom_eli_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'geli_da0p1_keyfile0_load="YES"' >> /boot/loader.conf
root@rizzo ~$ echo 'geli_da0p1_keyfile0_type="da0p1:geli_keyfile0"' >> /boot/loader.conf
root@rizzo ~$ echo 'geli_da0p1_keyfile0_name="/boot/encryption/storage.key"' >> /boot/loader.conf
root@rizzo ~$ shutdown -r now
Done!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.