encryption

I have the GELI key, but the associated pool (HDDs) unavailable currently (phisically). Can I check my password(s) with the keyfile only, without the encrypted media? If I know, the keyfile contains the keychain(s), protected by password(s). I would like to check this password, but without...

Hello, I have to create an encrypted dataset, my configuration is as follows: freebsd-version -ukr 13.1-RELEASE-p3 13.1-RELEASE-p3 13.1-RELEASE-p5 zfs version zfs-2.1.4-FreeBSD_g52bad4f23 zfs-kmod-2.1.4-FreeBSD_g52bad4f23 and I would like the key to be on a remote server, for this and...

I'd like to set up a FreeBSD installation with only my home directory encrypted. I've fiddled with GELI, and I'd like the machine to be one I can reboot remotely, so typing a password in at boot is a non-starter. I'm aware that it's possible to do an encrypted user directory that is...

When we encrypt the ZFS disk (whole volume), we need to enter a "passphrase". However, a "master key" is created to encrypt the data. The "passphrase" is the key to unlock the "master key". So, we can change the "passphrase" later and the "master key" remains the same but will be secured by the...

I'm looking to implement a way to optionally auto-decrypt a single drive system at boot. The flow would be like this: Install FreeBSD, one disk, use GELI encryption Login, create a key: /root/quick-boot-with-no-password.key Create a reboot/shutdown script that offers two option: reboot with...

Hello. It seems security/gnutls from ports and pkg are not making use of the AES acceleration features from the ARMv8 Cryptographic extensions. This makes Samba server encryption incredibly slow. I've observed this on a Mac M1 FreeBSD 13-RELEASE virtual machine and also a RockPro64 running...

Does anyone have tape drive hardware encryption working on freebsd? I have an HP LTO-5 tape drive. Unencrypted read/writes and toggling compression with mt works, but enabling encryption doesn't. I compiled stenc, which does have ifdef's for freebsd sg, but no matter what I try I get either an...

Hello, I've been using Debian Linux for some time, but I wanna give FreeBSD a try because I like some facts about it. :) I do the first steps in a VM for easy rollback, but after that I'll install it on the 2nd drive on my laptop. Because its a laptop, full disc encryption is mandatory for me...

This is probably a trivial question, but I'm failing to figure it out myself after reading a lot of documentation. I've my laptop running an up-to-date 13.0-RELEASE, with zfs on top of geli. So, datasets are *not* encrypted, but encryption is done on the lower level. I've a single snapshot in...

I was trying to create an encrypted zfs filesystem today and I got an error, so i tried to check the version and that gives me an error as well. Am I missing something? % sudo zfs create -o compression=lz4 -o encryption=on -o mountpoint=/mnt/zusb-backup -o keyformat=raw -o...

Does FreeBSD 12.2-RELEASE support creating ZFS pools with Self Encrypting Drive (SED) hard drives? I am trying to source drives for a new NAS and am struggling to find non-SED drives. Searching the forum and googling I only found threads discussing the merits of SED, not whether it is actually...

How to change passphrase for encrypted ZFS disk for FreeBSD 13? I saw this post, but "/boot/encryption.key" is not found. Do I change the passphrase by booting into the disk, or booting into the install-disk? And, if I boot into the install-disk, how do I mount the specific partition to change...

Why would you encrypt a zfs zvol device with gbde ? Because you can, and it is easy. 1.You stay away from system,boot&root partitions so you don't have boot problems. 2. Most private data is relative small. And fits in one directory with subdirectories. Note : zfs allows encryption by itself but...

Background: I set up a server with mail/ssmtp and sysutils/logwatch because I wanted to painlessly monitor system security. Logwatch sent me a nice email, pretty much out-of-the-box, but when I read it I realized that the information in the body is sensitive. So I asked myself: why not encrypt...

Is there a reason, security or other, that rc.d/zfs script does not contain the -l and -u flags for mount and unmount respectively? Or alternatively a load-key -a before mount and unload-key -a after unmount (this is better for datasets that dont mount but have subsets that do) I double...

I've set up remote VPS systems with GELI disk encryption, including swap encryption, during FreeBSD 12.2 installation. I've locked down SSH quite securely too so I presume now when remoting in, security is reasonably assured. I want to address the possibility that within the VPS terminal's web...

Made a post earlier about theoretical hidden directories attack vectors and PEFS. This is a simple question about a problem I'm having. Inside a jail. With allow.mount; and enforce_statfs="0"; in /etc/jail.conf, I am getting the error message root@jail:/home/user # ls -I test...

I am new to BSD. What I'd like to do is mirroring two SSDs and encrypting everything that is possible. I mean the entire OS and even the swap partition (I guess BSD has one too). As far as I understand as long as the motherboard does not support booting with encrypted disks I have to keep the...

Hello! I have FreeBSD 12 installation with GELI encrypted ZFS root partition (created automatically from the installer). But now, my HW died and I need to import and mount the root filesystem as external disk. How can I mount this GELI encrypted ZFS root partition manually please? Note: In the...

ETSI releases cryptographic standards for secure access control.