Simple disk encryption for off-site backup

Michael Ross gmx at
Thu Feb 27 06:13:46 UTC 2014

On Thu, 27 Feb 2014 04:59:04 +0100, Polytropon <freebsd at> wrote:

> I'm planning to add a new disk next month to my home setup.
> It should be an external USB disk for off-site (really!)
> backup. That's why I would like to see the content encrypted.
> I have no problem with entering a long passphrase when mounting
> the disk for backup or restore operations, and probably I would
> not feel safe enough by just using keys (stored somewhere).
> The file system will be UFS, so there is no need to worry that
> some other OS or "Windows" would not be able to read it. :-)
> My question is: What is the _easiest_ mechanism to initialize
> a disk for encrypted use? It should work with FreeBSD 9 and 10
> in the first place.

I am using geli for that.

Copied from the man page:

      Initialize	a provider which is going to be	encrypted with a passphrase
      and random	data from a file on the	user's pen drive.  Use 4kB sector
      size.  Attach the provider, create	a file system, and mount it.  Do  
      work.  Unmount the	provider and detach it:

	   # dd	if=/dev/random of=/mnt/pendrive/da2.key	bs=64 count=1
	   # geli init -s 4096 -K /mnt/pendrive/da2.key	/dev/da2
	   Enter new passphrase:
	   Reenter new passphrase:
	   # geli attach -k /mnt/pendrive/da2.key /dev/da2
	   Enter passphrase:
	   # dd	if=/dev/random of=/dev/da2.eli bs=1m
	   # newfs /dev/da2.eli
	   # mount /dev/da2.eli	/mnt/secret
	   # umount /mnt/secret
	   # geli detach da2.eli



More information about the freebsd-questions mailing list