I recently faced a problem where i wanted to encrypt partitions where FreeBSD already was installed on. The alternative to erasing all of your disks is to use Virtual Disks.
Create a virtual disk with a blocksize of 4096
Create a file backed device
Now for the configuration of the geli(1) tool.
Fetch some random data to encrypt the master key with
Init the device with geli (question for passphrase here)
attach geli with the key to the newly created device
This will create a device called /dev/md0.eli which is used in all future commands.
Create a new filesystem on the virtual disk
Mount the disk
Now you can use the disk, do whatever you want with it.
To securely unmount the device
To restore from your metadata backups, for example if you accidentially cleared the device with geli(1).
Detach the memory disk completely from the system
That's about it, with these simple commands you can create, encrypt and use a virtual memory disk.
For further reading about memory disks in FreeBSD please refer to Virtual Disks.
Here are two really simple shell scripts that will take care of mounting and unmounting the created memory disks:
mountImage.sh
and
umountImage.sh
Create a virtual disk with a blocksize of 4096
Code:
% dd if=/dev/zero of=imageFile bs=4k count=<count of 4k blocks>Create a file backed device
Code:
# mdconfig -a -t vnode -f imageFile -u 0Now for the configuration of the geli(1) tool.
Fetch some random data to encrypt the master key with
Code:
# dd if=/dev/random of=/root/md0.key bs=64 count=1Init the device with geli (question for passphrase here)
Code:
# geli init -s 4096 -K /root/md0.key /dev/md0attach geli with the key to the newly created device
Code:
# geli attach -k /root/md0.key /dev/md0This will create a device called /dev/md0.eli which is used in all future commands.
Create a new filesystem on the virtual disk
Code:
# newfs /dev/md0.eliMount the disk
Code:
# mount /dev/md0.eli <mountpoint>Now you can use the disk, do whatever you want with it.
To securely unmount the device
Code:
# umount <mountpoint>
# geli detach md0.eliTo restore from your metadata backups, for example if you accidentially cleared the device with geli(1).
Code:
# geli restore /var/backups/md0.eli /dev/md0Detach the memory disk completely from the system
Code:
# mdconfig -d -u 0That's about it, with these simple commands you can create, encrypt and use a virtual memory disk.
For further reading about memory disks in FreeBSD please refer to Virtual Disks.
Here are two really simple shell scripts that will take care of mounting and unmounting the created memory disks:
mountImage.sh
Code:
#!/bin/sh
# Basic script to mount memory disks
mountImage()
{
dev=$1
dir=$2
echo "mounting $dev at $dir"
mount $dev $dir
}
echo "Give me the name of the image to mount"
read image
echo "Where to mount it?"
read mountDir
echo "Where is the geli key?"
read geliKey
baseDevice="/dev/md"
# get the first free minor number to mount it to
for minorNumber in 0 1 2 3 4 5 6 7 8 9 10
do
device=$baseDevice$minorNumber
if [ -e $device ]
then
else
echo "Found free device $device"
break
fi
done
echo "Using $device to mount $image"
mdconfig -a -t vnode -f $image -u $minorNumber
exitStatus=$?
if [ $exitStatus -eq 0 ]
then
echo "Created $device from $image"
geli attach -k $geliKey $device
if [ $? -eq 0 ]
then
mountImage $device".eli" $mountDir
fi
fiand
umountImage.sh
Code:
#!/bin/sh
echo "What dir to unmount?"
read umountDir
echo "What device to detach with geli? (md0, md1, ...)"
read geliDevice
echo "Whats its minornumber? (0, 1, ...)"
read minor
umount $umountDir
device="/dev/"$geliDevice".eli"
if [ -e $device ]
then
geli detach $device
mdconfig -d -u $minor
fi