GELI is a cryptographic GEOM class and it can be used to encrypt either one partition (file) or a whole disk, so you know that your data is kept in a safe place even if the computer and/or disk is stolen. Here I descirbe how to encrypt a whole disk using AES algorithm with key length of 256 (you can use other algorithms and key lengths). The article is primarily based on the few other articles specified in Sources section at the bottom of the document, but combines all the best techniques. Refer to geli(8) and http://www.freebsd.org/doc/en/books/handbook/disks-encrypting.html for further details. Preparing a GELI disk ===================== Boot the computer with disk 1 and enter Fixit mode. Erase the disk with random data: # dd if=/dev/random of=/dev/ad0 bs=1m Prepare environment for geli because it usually run from within installed system, not from Fixit shell: # ln -s /dist/boot/kernel /boot/kernel # ln -s /dist/lib /lib # geli load Create keys for disk encryption: # mkdir /boot/keys # dd if=/dev/random of=/boot/keys/ad0.key bs=128k count=1 Initialize the disk: # geli init -b -K /boot/keys/ad0.key -s 4096 -l 256 /dev/ad0 Attach the device: # geli attach -k /boot/keys/ad0.key /dev/ad0 Now we have the decrypted device. Let's partition it: # bsdlabel -w /dev/ad0.eli # bsdlabel -e /dev/ad0.eli # /dev/ad0.eli: 8 partitions: # size offset fstype [fsize bsize bps/cpg] a: 2097149 2 unused 0 0 c: 2097151 0 unused 0 0 # "raw" part, don't edit Last command runs vi and enables you to edit partition table. I edited it this way: # /dev/ad0.eli: 8 partitions: # size offset fstype [fsize bsize bps/cpg] a: 512M 0 4.2BSD 0 0 b: 256M * swap 0 0 c: 2097151 0 unused 0 0 # "raw" part, don't edit d: 1024M * 4.2BSD 0 0 e: 512M * 4.2BSD 0 0 f: * * 4.2BSD 0 0 The '*' in the third column means that the offset will be calculated by the system automatically based on the previous partitions. The '*' in front of the f partition means that all the rest space will be used for this partition. 'c' represents the entire slice and shouldn't be modified. Now create filesystems. By default sysinstall doesn't enable Soft-updates on the root partition so won't we: # newfs /dev/ad0.elia The rest will utilize Soft-updates: # newfs -U /dev/ad0.elid # newfs -U /dev/ad0.elie # newfs -U /dev/ad0.elif Installing FreeBSD ================== # mkdir /fixed # mount /dev/ad0.elia /fixed Create default layout: # mkdir /fixed/var # mkdir /fixed/tmp # mkdir /fixed/usr Mount the partitions: # mount /dev/ad0.elid /fixed/var # mount /dev/ad0.elie /fixed/tmp # mount /dev/ad0.elif /fixed/usr Install the system from the CD/DVD. In my case X.Y-Z is 7.1-RELEASE # export DESTDIR=/fixed/ # cd /dist/X.Y-Z/base # ./install.sh # cd ../manpages && ./install.sh # cd ../src && ./install.sh all # cd ../kernels && ./install.sh GENERIC Move the contents of GENERIC to /fixed/boot/kernel: # cd /fixed/boot/ # mv GENERIC/* kernel/ # rm -rf GENERIC Configuring removable device ============================ Create new slice on the device: # fdisk -BI /dev/da0 You can get "Geom not found" message but you can ignore it. Create partition on the slice: # bsdlabel -Bw /dev/da0s1 # bsdlabel -e /dev/da0s1 We need only one partition (about 50 MB): # size offset fstype [fsize bsize bps/cpg] a: 528600 0 4.2BSD 0 0 c: 528600 0 unused 0 0 Create a filesystem on the device: # newfs /dev/da0s1 # mount /dev/da0s1 /mnt We now will speed up the booting process by compressing the kernel and the two required modules (ONLY FOR BOOTING FROM A USB STICK). # cd /fixed/boot/kernel/ # gzip kernel geom_eli.ko acpi.ko We need to load the GELI module at boot-time and specify the key to be used: # vi /mnt/boot/loader.conf geom_eli_load="YES" geli_ad0_keyfile0_load="YES" geli_ad0_keyfile0_type="ad0:geli_keyfile0" geli_ad0_keyfile0_name="/boot/keys/ad0.key" Now let's create the file fstab which instructs the system which partitions to mount: # mkdir /mnt/etc/ # vi /mnt/etc/fstab Now edit your fstab file: # Device Mountpoint FStype Options Dump Pass# /dev/ar0.elib none swap sw 0 0 /dev/ar0.elia / ufs rw 1 1 /dev/ar0.elid /var ufs rw 2 2 /dev/ar0.elie /tmp ufs rw 2 2 /dev/ar0.elif /usr ufs rw 2 2 /dev/acd0 /cdrom cd9660 ro,noauto 0 0 # cp /mnt/etc/fstab /fixed/etc/ "An important detail is to instruct the usbpen to attach the GELI devices with the -d option ("detach on last close"), which detaches every device when the computer shuts down. If this is not set the system will not boot up the next time.. And limit the number of tries of supplying a passphrase to 3:" # vi /mnt/etc/rc.conf geli_autodetach="YES" geli_tries="3" Copy boot and all config files on the removable media: # cp -Rpv /fixed/boot /mnt Configuring boot CD =================== As an alternative to a USB-stick we can create a CD to boot the system up from. All the steps are the same for a USB stick except of gzipping the kernel and modules, it shouldn't be done. # mkdir /root/bootcd # cp -Rp /boot /root/bootcd # mkdir /root/bootcd/etc # cp /etc/rc.conf /root/bootcd/etc/ # mkisofs -no-emul-boot -b boot/cdboot -o /root/bootcd.iso /root/bootcd "-b boot/cdboot tells mkisofs which boot record to use, -o specifies where to save the iso file. -no-emul-boot is needed because the cdboot-image is not a regular floppy image. Now burn the iso with your favorite applikation (burncd, perhaps?)" # burncd -f /dev/acd0 data /root/bootcd.iso fixate Or you can use UltraISO to make the bootable CD. Take a look at the screenshots. Passphrase on boot ================== As of writing of this article (I have FreeBSD 7.1-RELEASE) there's a problem with passphrase input during boot up. You can try to disable kbdmux and dcons (recompiling the kernel or adding a line to device.hints file on your bootable media). You can also try a USB keyboard.# echo hint.kbdmux.0.disabled=\"1\" >> /mnt/boot/device.hints There are PRs which are relate to this issue: http://www.freebsd.org/cgi/query-pr.cgi?pr=105368&cat= http://www.freebsd.org/cgi/query-pr.cgi?pr=120090&cat= Hope this will be corrected soon. Cleanup ======= # cd / # umount /mnt # umount /fixed/var # umount /fixed/tmp # umount /fixed/usr # umount /fixed # geli detach /dev/ad0 Don't forget to backup your ISO and keys and remove the keys from /boot/keys. It's done. Good luck! SOURCES ======= http://www.proportion.ch/index.php?page=31 https://www.poller.se/blog/2008/06/05/encryptet-root-filesystem-with-freebsd-70-and-geli/ http://nullpointer.dk/2007/06/05/encrypting-a-freebsd-system-using-geli/ http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2008-09/msg01118.html Yasir M. Arsanukaev