best solution for encrypting a mountpoint?
rsmith at xs4all.nl
Sun Aug 31 21:21:25 UTC 2014
On Sun, Aug 31, 2014 at 11:39:52AM -0400, Littlefield, Tyler wrote:
> Hello all:
> I would like to encrypt my /home directory. Is there a good solution for
> handling this? There is already a partition, so I'd like to unmount it
> and somehow set it up so that it will be encrypted.
The procedure to do this is as follows, assuming you want to use geli
encryption and a UFS filesystem. Note that geli encryption is currently not
suited for SSDs since it lacks TRIM support. And you cannot encrypt in situ
with gbde or geli.
* Make a backup of your data on /home, and verify it!
* Unmount /home
* The following steps should be run as root. Preferably with no other users
logged in (since /home is unmounted).
* Fill the /home partition with pseudo-random garbage. This makes cryptanalysis
harder but mostly ensures that no retrievable data is left. *This will
destroy all data on the partition.* *Make sure you have a good backup!*.
You should replace <home-partition> with the partition id of your /home.
# dd if=/dev/random of=/dev/<home-partition> bs=1M
* Initialize the partition to use gbde or geli. I'm using geli in this
# geli init -l 256 /dev/<home-partition>
# geli attach /dev/<home-partition>
Choose a strong passphrase.
* Now create a new filesystem on the encrypted device;
# newfs -U /dev/<home-partition>.eli
# mount /dev/<home-partition>.eli /home
* Change /etc/fstab to point to the new '.eli' device for the home partition.
* Finally you have to restore your data to the new /home filesystem.
When the system encounters encrypted devices in /etc/fstab on startup, it will
prompt you for the passphrase.
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 5753 3324 1661 B0FE 8D93 FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: not available
More information about the freebsd-questions