Solved ZFS Encrypted Volume to another FreeBSD

[rafael_grether]

Hi Guys,

I need to create a Encrypted Volume, backup it and transfer to another FreeBSD machine without SSH access.

I was successful in doing this, but I don't know if I do it the best way. If there is a better way,, please let me know.

1 - First I create de zroot Volume
$ zfs create -V 1g zroot/PrivateVolume

2 - Encrypt with GELI
$ geli init -s 4096 /dev/zvol/zroot/PrivateVolume

3 - Attach Volume
$ geli attach /dev/zvol/zroot/PrivateVolume

4 - Create UFS Filesystem on the Volume
$ newfs /dev/zvol/zroot/PrivateVolume.eli

4 - Mount Volume
$ mount /dev/zvol/zroot/PrivateVolume.eli /mnt/

5 - Move my Confidencial Business files
$ cp anyConfidencial /mnt

6 - Umount Volume
$ umount /mnt

7 - Detach Encrypted Volume
$ geli detach /dev/zvol/zroot/PrivateVolume

8 - Create a Backup of Volume
$ zfs send zroot/PrivateVolume > backup.private

On another FreeBSD Machine:
$ zfs create -V 1g zroot/PrivateVolume
$ zfs receive -F zroot/PrivateVol < backup.private

This works well, but exist another best way to do it? Something more practical and simple?

On MacOS, I just create Encrypted Volume throw Disk Utility and set a Password for my .img image created.
In FreeBSD it's a lot of steps.

Thanks,
Grether

 

[Alain De Vos]

MacOS does maybe many steps under the hood. And in FreeBSD it is also one step if you put the separate steps in a script.
Question : Do you really need an encrypted volume?
Otherwise i would use an encrypted zfs on an non-encrypted volume.
Something like:

zfs create -o encryption=aes-256-gcm -o keyformat=passphrase -o keylocation=prompt ZT/encrypted3

 

[chrbr]

You can also create a file and use mdconfig(8). Then you can have a geli encrypted file system within that file. That has been documented in the forum, as may be in the howtodo section. As far as I remember you can find it using the keywords veracrypt ,container and geli.

 

[Alain De Vos]

Even,

Encrypting a zfs zvol device with gbde

Why would you encrypt a zfs zvol device with gbde ? Because you can, and it is easy. 1.You stay away from system,boot&root partitions so you don't have boot problems. 2. Most private data is relative small. And fits in one directory with subdirectories. Note : zfs allows encryption by itself but...

forums.freebsd.org

 

[T-Daemon]

but exist another best way to do it? Something more practical and simple?

If all those FreeBSD machines have OpenZFS you might want to look at its native encryption. It's simpler and has lesser steps than with geli(8).

In short: zfs-create(8) encrypted dataset, zfs-mount(8) encrypted dataset (not necessary immediate after creation), populate dataset, zfs-unmount(8) encrypted dataset, zfs-send(8) (-w --raw) encrypted dataset, zfs-receive(8) encrypted dataset, zfs-mount(8) and decrypt dataset with the same password from the sending machine on receiving machine.

Or, if you are looking for a more comfortable way, similar to macOS encrypted .img's, then security/veracrypt could be an option. It's not officially supported but you can even create a ZFS besides the supported UFS2 on the image.

 

[rafael_grether]

Thanks guys for the suggestions.
I think I can encrypt volume with gbde, as suggested by Alain. Great article!

Thanks everyone (Alain, Chrbr, T-Daemon)!