FreeBSD 13 openzfs encrypted thumb drive

petlib

New Member


Messages: 7

Playing around with the new OpenZFS encryption feature that comes standard with FreeBSD 13. You can now create your own encrypted USB thumb drive.


Get hold of a unused thumb drive and insert it on your freeBSD 13 system. Destroy the current partition table on the thumb drive and create a new partition table of type GPT.

Ensure you use the correct device id, use # dmesg and find the device id of your usb drive. Example below use drive id da0:

Code:
# gpart destroy -F da0

# gpart create –s gpt da0

# gpart show da0

=> 40 2015152 da0 GPT (984M)

     40 2015152 - free - (984M)

Add a new ZFS partition to the thumb drive and give it GPT label "thumb_drive":

Code:
# gpart add -t freebsd-zfs -l thumb_drive da0

da0p1 added

# gpart show -l da0

=> 40 2015152 da0 GPT (984M)

     40 2015152 1 thumb_drive (984M)

Create a new ZFS storage pool named "thumb_drive" on the thumb drive partition GPT labeled "thumb_drive":

Code:
# zpool create thumb_drive gpt/thumb_drive

# zfs list thumb_drive

NAME USED AVAIL REFER MOUNTPOINT

thumb_drive 372K 832M 96K /thumb_drive

Create a encrypted ZFS dataset named "secret" in ZFS storage pool "thumb_drive":

Code:
# zfs create -o encryption=on -o keyformat=passphrase thumb_drive/secret

Enter passphrase:

Re-enter passphrase:


# zfs get -p encryption,keystatus,keyformat,keylocation thumb_drive/secret

NAME PROPERTY VALUE SOURCE

thumb_drive /secret encryption aes-256-gcm -

thumb_drive /secret keystatus available -

thumb_drive /secret keyformat passphrase -

thumb_drive /secret keylocation prompt local

Copy files to the encrypted ZFS dataset (directory) then export the ZFS storage pool "thumb_drive" from the system:

Code:
# cp “secret_files” /thumb_drive/secret

# zpool export thumb_drive

On another FreeBSD 13 system import the thumb drive ZFS storage pool named "thumb_drive" including mount of encrypted datasets:

Code:
# zpool import –l thumb_drive

Enter passphrase for ‘thumb_drive/secret’:
 
Last edited:
Top