geli on exisitng laptop

Geoff Fritz gfritz at
Wed Apr 8 10:12:53 PDT 2009

On Wed, Apr 08, 2009 at 07:06:27AM -0700, new_guy wrote:
> Hi guys,
> I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already
> have setup. The laptop is up and working fine and I don't want to screw it
> up. It have the default partition layout. I've already used geli to encrypt
> the swap partition. 
> The default partitioning at install creates / /tmp /usr and /var. I thought
> I would start with /tmp as I should be able to fix that if I mess up. 
> Some questions...
> 1. Will each partition have to be mounted with a password?

If you plan on converting existing partitions to geli-backed, then each
one will require its own initialization.  It's up to you on whether or not
you wish to use the same password/keyfile -- or different ones -- for each.

I personally experiment with geli all the time, and for convenience, I have
my primary drive prompt for a passord at boot time.  Under my encrypted drive,
I use key files without password to mount other devices.

>From my rc.conf file:
geli_ad3_flags="-p -k /etc/geli/ad3.key"

(then the appropriate entry for ad3.eli in my fstab)

This would probably be unnacceptable to those who wear tin-foil hats and
think the NSA is out to get them, but it sure beats typing in a high-entropy
password for each and every device/partition in your system.

One potential gotchya: If you your primary device gets hosed (hardware failure,
lost password, corruption), then you won't be able to access the other devices
since you can't get access to your keys.  I *strongly* suggest that you back
up your key file(s) -- I keep 2, one on the USB stick that I use to boot my
machine, and one on a webmail account (both gpg-encrypted, of course).

Don't forget to encrypt swap (described in the handbook, I think).

> 2. What's the most straight-forward way to go about this without screwing
> up?

For someone new to this, it would be far easier to start from scratch.
However, in your case, I suggest that you free up a partition to start with
(/tmp comes to mind here).  Experiment with a few "geli init" incantations
in order to get it to prompt for a password at boot time, and then mount the
device.  Mount it under something like /root2 or /newroot.  Then, copy your
entire content of / over to the new mountpoint (use tar or rsync, and don't
forget to exclude other devices).

Once you have that mounting at boot and synced up, you can change the /
entry in your current /etc/fstab (make sure the new fstab is correct for
the new mounts, too).

You system will start booting, and you'll be prompted for a password to
unlock the new encrypted device.  Then, it'll mount / (the new encrytped
device), and once that happens, the old / will be essentially ignored
since the new one will be mounted over it, so the new fstab and directory
structure will assume control.

Once that is working, you can migrate other partitions over, one at a time,
until all required devices are encrypted.  If you don't want to be prompted
for passwords for these other devices, you should use keys instead of
passwords and use the rc.conf method I mentioned above.

Personally, I'd add a 2nd drive, encrypt it wholesale (ad0.eli), then
partition that device in whatever way you wish (/dev/ad0.elia,
/dev/ad0.elib, etc. by way of "bsdlabel -w ad0.eli ; bsdlabel -e ad0.eli").
Then mount those partitions under a /newroot tree, then rsync your entire
filesystem tree over to that, then switch your fstab to point to the new root.
(again, don't forget to correctly edit the *new* fstab after you sync, or
you'l be hating life as you try to fix the mess from the boot loader prompt
or a recovery disk).

Moving everything back to your newly-encrypted old drive will be more

I cut my geli teeth on the following docs:

There appear to be quite a few more decent tutorials online these days.
Just google "freebsd geli encryption".

The good news is that many of the methods used for crypto (loading modules from
/boot/loader.conf) can be applied to things having gjournal or ZFS running
on your root device.  In fact, I've run ZFS over geli, and I currently use
gjournal over geli.  Both work very well.

Good luck.

-- Geoff

More information about the freebsd-questions mailing list