Simple HOWTO of creation an encrypted ZFS pool under FreeBSD using geli + 256-bit AES-XTS encryption + a 4 kb random data partial key and a secondary passphrase (required to type on each boot).
root@rizzo ~$ uname -a | |
FreeBSD rizzo.heimdall.pl 9.1-RELEASE FreeBSD 9.1-RELEASE #0: Wed Mar 13 21:02:32 CET 2013 root@rizzo.heimdall.pl:/sys/amd64/compile/rizzo amd64 | |
root@rizzo ~$ kldload opensolaris | |
root@rizzo ~$ kldload zfs | |
root@rizzo ~$ kldload geom_eli | |
root@rizzo ~$ gpart destroy -F da0 | |
da0 destroyed | |
root@rizzo ~$ gpart create -s gpt da0 | |
da0 created | |
root@rizzo ~$ gpart add -t freebsd-zfs -a 4096 da0 | |
da0p1 added | |
root@rizzo ~$ mkdir /boot/encryption | |
root@rizzo ~$ dd if=/dev/random of=/boot/encryption/storage.key bs=4096 count=1 | |
1+0 records in | |
1+0 records out | |
4096 bytes transferred in 0.000111 secs (36945955 bytes/sec) | |
root@rizzo ~$ geli init -b -B /boot/da0p1.eli -e AES-XTS -K /boot/encryption/storage.key -l 256 -s 4096 /dev/da0p1 | |
Enter new passphrase: | |
Reenter new passphrase: | |
Metadata backup can be found in /boot/da0p1.eli and | |
can be restored with the following command: | |
# geli restore /boot/da0p1.eli /dev/da0p1 | |
root@rizzo ~$ geli attach -k /boot/encryption/storage.key /dev/da0p1 | |
Enter passphrase: | |
root@rizzo ~$ zpool create storage /dev/da0p1.eli | |
root@rizzo ~$ zfs set mountpoint=/storage storage | |
root@rizzo ~$ zfs create storage/movies | |
root@rizzo ~$ zfs create storage/music | |
root@rizzo ~$ zfs create storage/others | |
root@rizzo ~$ zfs set mountpoint=/storage/movies storage/movies | |
root@rizzo ~$ zfs set mountpoint=/storage/music storage/music | |
root@rizzo ~$ zfs set mountpoint=/storage/others storage/others | |
root@rizzo ~$ echo 'zfs_load="YES"' >> /boot/loader.conf | |
root@rizzo ~$ echo 'aesni_load="YES"' >> /boot/loader.conf | |
root@rizzo ~$ echo 'geom_eli_load="YES"' >> /boot/loader.conf | |
root@rizzo ~$ echo 'geli_da0p1_keyfile0_load="YES"' >> /boot/loader.conf | |
root@rizzo ~$ echo 'geli_da0p1_keyfile0_type="da0p1:geli_keyfile0"' >> /boot/loader.conf | |
root@rizzo ~$ echo 'geli_da0p1_keyfile0_name="/boot/encryption/storage.key"' >> /boot/loader.conf | |
root@rizzo ~$ shutdown -r now | |
Done! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment