1. U

    Solved Creating an encrypted ZFS volume with a keyfile?

    Hi all, I am trying to create an encrypted zfs volume that will be auto-mounted using a keyfile. According to online information this should be possible with the following command: zfs create -o mountpoint=/home/ -o encryption=on -o keysource=raw,file:///usr/local/homekey disk/home However...
  2. M

    ZFS zfs sharenfs property ignored when mounting encrypted datasets

    Hi, I'm on 14.0-RELEASE and wondering if that is intended behaviour. I have an encrypted dataset with "sharenfs" property set (and indeed intent to share once mounted) but after loading the key and mounting, the dataset is not automatically exported (/etc/zfs/exports is empty) so I have to issue...
  3. L

    Is full disk encryption with UFS possible?

    I'm sure you are going to say "YES" but please not so fast. 1. When installing FreeBSD 14.0, I am offered the choice between ZFS and UFS. If I select ZFS, the option to encrypt is there, very clear, impossible to miss. If I select UFS though, encryption is never mentioned at all. Does FreeBSD...
  4. DtxdF

    Using geli(8) with AppJail

    geli(8) is one of the most powerful block device-layer disk encryption system available in FreeBSD, which protects our data against cold storage attacks. geli(8) encrypts our data so that a skilled intruder cannot see sensitive documents, or modify our data without us noticing that a...
  5. I

    Other Is it possible to have my TPM decrypt my GELI drive?

    Similar to how BitLocker and LUKS partitions can be unlocked by the TPM. I was able to do it on my Debian system by adding an additional LUKS key and saving it in my TPM and when the system starts up, it asks for it from the TPM (my extremely basic understanding of it).
  6. I

    Intel’s Total Memory Encryption

    Is Intel’s Total Memory Encryption (Multi-Key) feature supported in FreeBSD? And if so, how to enable it?
  7. monaco87

    ZFS ZFS dataset encryption and AES-NI

    Hi, Is there any way to verify that my native encryption ZFS datasets are benefiting from CPU AES-NI support? I can't see anything in dmesg regarding CPU capabilities, though installed processor is Intel Xeon CPU E5-2620 v4 which supports AES-NI instructions. Thanks
  8. skyenosaur

    Other Encrypted RAID1 does not mount as expected

    Hello my new friends, it’s me again, I am now on day 3 of FreeBSD and I have almost set up all the important bits. I set up a RAID1 for my 2 disks that hold my home directory per the handbook, and then set up a geli partition on that mirror device as described in the handbook, and then I put...
  9. rwv37

    Replace a drive having a partition in a ZFS pool - how do I deal with the REST of the drive?

    I have a 13.2-RELEASE-p4 machine with four hard drives. They are all partitioned just like this one: # gpart show ada0 => 40 35156656048 ada0 GPT (16T) 40 532480 1 efi (260M) 532520 2008 - free - (1.0M) 534528 33554432 2...
  10. Sparkee

    encrypt NFS in transit

    Has anyone worked on encrypting NFS via transit? Goal: have the traffic between the NFS server and client encrypted.
  11. S

    ZFS GELI password check

    I have the GELI key, but the associated pool (HDDs) unavailable currently (phisically). Can I check my password(s) with the keyfile only, without the encrypted media? If I know, the keyfile contains the keychain(s), protected by password(s). I would like to check this password, but without...
  12. V

    ZFS Problem with property keylocation=http://_address_ when creating an encrypted dataset

    Hello, I have to create an encrypted dataset, my configuration is as follows: freebsd-version -ukr 13.1-RELEASE-p3 13.1-RELEASE-p3 13.1-RELEASE-p5 zfs version zfs-2.1.4-FreeBSD_g52bad4f23 zfs-kmod-2.1.4-FreeBSD_g52bad4f23 and I would like the key to be on a remote server, for this and...
  13. C

    ZFS ZFS for encrypted home directory decrypted at login?

    I'd like to set up a FreeBSD installation with only my home directory encrypted. I've fiddled with GELI, and I'd like the machine to be one I can reboot remotely, so typing a password in at boot is a non-starter. I'm aware that it's possible to do an encrypted user directory that is...
  14. I

    ZFS What is the relavance of the "passphase" (to create/generate the "master key") for ZFS encryption when it (the "passphrase") can be changed later?

    When we encrypt the ZFS disk (whole volume), we need to enter a "passphrase". However, a "master key" is created to encrypt the data. The "passphrase" is the key to unlock the "master key". So, we can change the "passphrase" later and the "master key" remains the same but will be secured by the...
  15. markmcb

    Other Auto-decrypt geli at boot with key, or fallback to password

    I'm looking to implement a way to optionally auto-decrypt a single drive system at boot. The flow would be like this: Install FreeBSD, one disk, use GELI encryption Login, create a key: /root/quick-boot-with-no-password.key Create a reboot/shutdown script that offers two option: reboot with...
  16. ulzeraj

    Solved net/samba413 encryption, security/gnutls on Aarch64

    Hello. It seems security/gnutls from ports and pkg are not making use of the AES acceleration features from the ARMv8 Cryptographic extensions. This makes Samba server encryption incredibly slow. I've observed this on a Mac M1 FreeBSD 13-RELEASE virtual machine and also a RockPro64 running...
  17. N

    Other can't enable LTO hardware encryption

    Does anyone have tape drive hardware encryption working on freebsd? I have an HP LTO-5 tape drive. Unencrypted read/writes and toggling compression with mt works, but enabling encryption doesn't. I compiled stenc, which does have ifdef's for freebsd sg, but no matter what I try I get either an...
  18. S

    Solved Encryption + ZFS (13.0)

    Hello, I've been using Debian Linux for some time, but I wanna give FreeBSD a try because I like some facts about it. :) I do the first steps in a VM for easy rollback, but after that I'll install it on the 2nd drive on my laptop. Because its a laptop, full disc encryption is mandatory for me...
  19. H

    Solved Backup unencrypted datasets into encrypted datasets

    This is probably a trivial question, but I'm failing to figure it out myself after reading a lot of documentation. I've my laptop running an up-to-date 13.0-RELEASE, with zfs on top of geli. So, datasets are *not* encrypted, but encryption is done on the lower level. I've a single snapshot in...
  20. dave

    ZFS ZFS Version and Encryption

    I was trying to create an encrypted zfs filesystem today and I got an error, so i tried to check the version and that gives me an error as well. Am I missing something? % sudo zfs create -o compression=lz4 -o encryption=on -o mountpoint=/mnt/zusb-backup -o keyformat=raw -o...