Skip to main content.

Full disk encryption in FreeBSD & OpenBSD

2013-12-18

Live demo in BSD Now Episode 016 Originally written by TJ and Allan for bsdnow.tv | Last updated: 2015/02/07

NOTE: the author/maintainer of the tutorial(s) is no longer with the show, so the information below may be outdated or incorrect.

Protecting your data is very important. You can have the tightest network security in the world, but if someone gets physical access, it's all worthless. This tutorial will show you how to set up an encrypted installation of FreeBSD or OpenBSD, step by step.


FreeBSD < 10.0

For versions of FreeBSD prior to 10.0, the encryption process was a very "manual" one. That being said, it's still not very difficult. Boot the installer and follow along as usual. Once you get to the partitioning menu, choose "shell." This will allow you to manually configure the disk encryption before the OS is installed. You can adjust the partition sizes or choose to do MBR instead of GPT if you prefer, but that's a bit more involved.

To view a list of disk devices, run:

# sysctl kern.disks

This tutorial assumes you are starting with a blank disk. If you're serious about data security, you’ll want to be sure to destroy any data already on the disk before starting. We'll be using the first SATA disk - /dev/ada0 - for our installation.

Write the partition table:

# gpart create -s gpt ada0

Create three partitions. The first is for the boot record, the second is an unencrypted /boot partition (from which the kernel is loaded) and the third is the large encrypted partition for the rest of the OS and files.

# gpart add -t freebsd-boot -s 512k -a 4k ada0
# gpart add -t freebsd-ufs -l bootfs -s 1g -a 1m ada0
# gpart add -t freebsd-ufs -l encrypted -a 1m ada0

Next we need to install the bootcode:

# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

Here's where we actually encrypt the partition. If you want to use different settings than the default provides, consult the geli manpage. You can adjust the number of rounds, key size, algorithm, HMAC, etc.

# geli init -b -s 4096 ada0p3

Enter passphrase:
Reenter passphrase: 

Use a very strong passphrase! Next we attach the device.

# geli attach ada0p3

Enter passphrase:
cryptosoft0: <software crypto> on motherboard
GEOM_ELI: Device ada0p3.eli created
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: software

Our new encrypted pseudo-device is /dev/ada0p3.eli. Now we can format the two partitions.

# newfs -U /dev/ada0p2
# newfs -U /dev/ada0p3.eli

Mount them and do a workaround for the unencrypted /boot.

# mount /dev/ada0p3.eli /mnt
# mkdir /mnt/unenc
# mount /dev/ada0p2 /mnt/unenc
# mkdir /mnt/unenc/boot 
# ln -s unenc/boot /mnt/boot

Next we must create the corresponding fstab for the system. The installer will write the fstab as part of the install.

# vi /tmp/bsdinstall_etc/fstab

In our example, it would look like this:

# Device        Mountpoint      FStype  Options      Dump    Pass#
/dev/ada0p2     /unenc          ufs     rw,noatime      1       1
/dev/ada0p3.eli /               ufs     rw,noatime      2       2

I added the "noatime" option for slightly better performance. You'll want to automatically load the kernel modules required for booting from an encrypted volume.

# vi /mnt/unenc/boot/loader.conf

Add the following:

geom_eli_load="YES"
vfs.root.mountfrom="ufs:ada0p3.eli"

If you have a CPU with AESNI, be sure it's enabled in your BIOS settings and add this line to improve performance:

aesni_load="YES"

Return to the installation.

# exit

It should continue as normal. Once it finishes, reboot and...

Enter passphrase for ada0p3:

Done.


OpenBSD

As of version 5.3, booting from encrypted volumes on OpenBSD has been fairly simple. Boot from the install media and choose "Shell" at the initial prompt. Start by initializing the disk:

# fdisk -iy wd0

This is assuming that wd0 is the drive you want to install to. Next up is creating a label for the disk.

# disklabel -E wd0

I'll add a 1GB swap partition and use the rest of the disk for our root filesystem. Keep in mind the exact numbers you'll see will probably be different than the ones in my example. The string [in brackets] is the default, and you can overwrite it by typing something else. For swap, all you need to do is:

> a b
offset: [64]
size [10474316] 1g
Rounding size to cylinder (16065 sectors): 2104451
FS type: [swap]:

Now for the rest of the disk. You'll need to adjust the following if that's not what you want. Be sure to change the FS type to "RAID" when you do this step.

> a a
offset: [2104515]
size: [8369865] *
FS type: [4.2BSD] RAID
> w
> q
No label changes.

Now we encrypt the "a" partition of the drive using the bioctl command. Be sure to replace the drive and partition names if you aren't using what I used.

# bioctl -c C -l /dev/wd0a softraid0

New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sd0

Our new pseudo-device for installation is sd0, so we can now exit the shell and go back to the installer

# exit

Press i for "Installation" and go through the process. It's pretty simple. The only thing you need to be aware of is that when it asks

Which disk is the root disk? ('?' for details) [wd0] sd0

You'll use the encrypted pseudo-device sd0 instead of wd0. Soon you should see:

Use (W)hole disk or (E)dit the MBR? [whole]
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] c

I like doing a custom layout here. It's very similar to what we did before.

> a a
offset: [64]
size: [6265286] *
FS type: [4.2BSD]
mount point: [none] /
Rounding size to bsize (32 sectors): 6265280
> w
> q

Install the sets you want. Once the install is complete, you should be prompted to reboot the system. Before doing so, let's enable enable the swap and make a couple performance-increasing changes.

# sed 's/rw/rw,softdep,noatime/g' /mnt/etc/fstab > /mnt/a
# echo '/dev/wd0b none swap sw 0 0' >> /mnt/a
# mv /mnt/a /mnt/etc/fstab

Don't worry about encrypting the swap partition. OpenBSD has done that by default since 2005. And now, finally we can...

# reboot

And you'll be asked for your passphrase on startup.

Using drive 0, partition 3.
Loading.....
probing: pc0 apm pci mem[639K 254M a20=on]
disk: hd0+ sr0*
>> OpenBSD/i386 BOOT 3.21
Passphrase:
boot> 

That's it!


FreeBSD ≥ 10.0

In FreeBSD 10, the encryption process became a lot easier than it was before. Instead of manually encrypting the disk and copying your files over to it, an encryption option was built into the installer. The downside is that it's only for ZFS. If you want to use UFS, you have to do the same method as 9.X.

The only difference is instead of doing:

# vi /mnt/unenc/boot/loader.conf

You will need to add the modules to loader.conf during the partitioning step like so:

# vi /tmp/bsdinstall_boot/loader.conf

Otherwise it will be overwritten and fail to boot. To set up FDE with ZFS in FreeBSD 10.0 and later versions, simply choose "ZFS" at the "Partitioning" menu and toggle the "Encrypt disks?" prompt with the enter key.

The installation will continue as normal and prompt you for a passphrase to use. Once it reboots...

Enter passphrase for ada0p3:

So easy!

Latest News

Two Year Anniversary

2015-08-08

We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment

2015-01-17

We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?

2014-11-26

We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

EuroBSDCon 2014

2014-09-18

As you might expect, both Allan and Kris will be at EuroBSDCon this year. They'll be busy hunting down various BSD developers and forcing them to do interviews, but don't hesitate to say hi if you're a listener!...


Episode 182: Bloaty McBloatface

2017-02-15

Direct Download:VideoHD VideoMP3 AudioOGG Audio This episode was brought to you by Headlines OpenBSD changes of note 6 OpenBSD can now be cross built with clang. Work on this continues Build ld.so with -fno-builtin because otherwise clang would optimize the local versions of functions like dlmemset into a call to memset, which doesn’t...

Episode 181: The Cantrillogy (Not special edition)

2017-02-15

Direct Download:VideoHD VideoMP3 AudioOGG AudioTorrent This episode was brought to you by – Show Notes: –FOSDEM 2017 BSD Dev Room Videos Ubuntu Slaughters Kittens | BSD Now 103The Cantrill Strikes Back | BSD Now 117Return of the Cantrill | BSD Now 163 Send questions, comments, show ideas/topics, or stories you want mentioned on...

Episode 179: The Wayland Machine

2017-02-01

Direct Download:VideoHD VideoMP3 AudioOGG AudioTorrent This episode was brought to you by Headlines Wayland is now in the FreeBSD Ports tree This commit brings Wayland, the new windowing system, into the FreeBSD ports tree “This port was first created by Koop Mast (kwm@) then updated and improved by Johannes Lundberg” “Wayland is intended as a simpler...

Episode 180: Illuminating the desktop

2017-01-31

Direct Download:VideoHD VideoMP3 AudioOGG AudioTorrent This episode was brought to you by Interview - Ken Moore - ken@trueos.org TrueOS, Lumina, Sys Admin, The BSD Desktop Ecosystem + KM: Thank you for joining us again, can you believe it has been an entire year? + AJ: Let’s start by getting an update on Lumina, what has...