FreeBSD 13 openzfs encrypted thumb drive

Playing around with the new OpenZFS encryption feature that comes standard with FreeBSD 13. You can now create your own encrypted USB thumb drive.


Get hold of a unused thumb drive and insert it on your freeBSD 13 system. Destroy the current partition table on the thumb drive and create a new partition table of type GPT.

Ensure you use the correct device id, use # dmesg and find the device id of your usb drive. Example below use drive id da0:

Code:
# gpart destroy -F da0

# gpart create –s gpt da0

# gpart show da0

=> 40 2015152 da0 GPT (984M)

     40 2015152 - free - (984M)

Add a new ZFS partition to the thumb drive and give it GPT label "thumb_drive":

Code:
# gpart add -t freebsd-zfs -l thumb_drive da0

da0p1 added

# gpart show -l da0

=> 40 2015152 da0 GPT (984M)

     40 2015152 1 thumb_drive (984M)

Create a new ZFS storage pool named "thumb_drive" on the thumb drive partition GPT labeled "thumb_drive":

Code:
# zpool create thumb_drive gpt/thumb_drive

# zfs list thumb_drive

NAME USED AVAIL REFER MOUNTPOINT

thumb_drive 372K 832M 96K /thumb_drive

Create a encrypted ZFS dataset named "secret" in ZFS storage pool "thumb_drive":

Code:
# zfs create -o encryption=on -o keyformat=passphrase thumb_drive/secret

Enter passphrase:

Re-enter passphrase:


# zfs get -p encryption,keystatus,keyformat,keylocation thumb_drive/secret

NAME PROPERTY VALUE SOURCE

thumb_drive /secret encryption aes-256-gcm -

thumb_drive /secret keystatus available -

thumb_drive /secret keyformat passphrase -

thumb_drive /secret keylocation prompt local

Copy files to the encrypted ZFS dataset (directory) then export the ZFS storage pool "thumb_drive" from the system:

Code:
# cp “secret_files” /thumb_drive/secret

# zpool export thumb_drive

On another FreeBSD 13 system import the thumb drive ZFS storage pool named "thumb_drive" including mount of encrypted datasets:

Code:
# zpool import –l thumb_drive

Enter passphrase for ‘thumb_drive/secret’:
 
Last edited:
Top