best solution for encrypting a mountpoint?

Roland Smith rsmith at xs4all.nl
Sun Aug 31 21:21:25 UTC 2014 

On Sun, Aug 31, 2014 at 11:39:52AM -0400, Littlefield, Tyler wrote:
> Hello all:
> I would like to encrypt my /home directory. Is there a good solution for 
> handling this? There is already a partition, so I'd like to unmount it 
> and somehow set it up so that it will be encrypted.

The procedure to do this is as follows, assuming you want to use geli
encryption and a UFS filesystem. Note that geli encryption is currently not
suited for SSDs since it lacks TRIM support. And you cannot encrypt in situ
with gbde or geli.

* Make a backup of your data on /home, and verify it!
* Unmount /home
* The following steps should be run as root. Preferably with no other users
  logged in (since /home is unmounted).
* Fill the /home partition with pseudo-random garbage. This makes cryptanalysis
  harder but mostly ensures that no retrievable data is left. *This will
  destroy all data on the partition.* *Make sure you have a good backup!*.
  You should replace <home-partition> with the partition id of your /home.

    # dd if=/dev/random of=/dev/<home-partition> bs=1M

* Initialize the partition to use gbde or geli. I'm using geli in this
  example;

    # geli init -l 256 /dev/<home-partition>
    # geli attach /dev/<home-partition>

  Choose a strong passphrase.

* Now create a new filesystem on the encrypted device;

    # newfs -U /dev/<home-partition>.eli
    # mount /dev/<home-partition>.eli /home

* Change /etc/fstab to point to the new '.eli' device for the home partition.
* Finally you have to restore your data to the new /home filesystem.

When the system encounters encrypted devices in /etc/fstab on startup, it will
prompt you for the passphrase.

Roland
-- 
R.F.Smith                                   http://rsmith.home.xs4all.nl/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 5753 3324 1661 B0FE 8D93  FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140831/c7116ec9/attachment.sig>

More information about the freebsd-questions mailing list