Encrypted Filesystems

Discrimination that is wrong in one context may be acceptable in another. ,

Configuration

Load GEOM_BDE support into the kernel. (Note: if you wish, you may also add GEOM_BDE support to the kernel statically and recompile it - use options GEOM_BDE.)

masta# kldload geom_bde

If you chose to use dynamic GEOM kernel support instead of recompiling it into the kernel, you may also want to make sure it's autoloaded at boot time from here on out:

masta# echo geom_bde_load="YES" >> /boot/loader.conf

Create a few directories. One for lock files, and the other for a mount point.

masta# mkdir /private
masta# mkdir /etc/gbde

Create an empty image file of 1000Mb.

masta# touch /usr/local/cryptfs.img
masta# dd if=/dev/zero of=/usr/local/cryptfs.img bs=1024k count=1000

Create a virtual device that points the empty file.

masta# mdconfig -a -t vnode -u 9 -f /usr/local/cryptfs.img

Invoke the gbde program on the new virtual device. This will ask for a passphrase twice, and open an editor.

masta# gbde init /dev/md9 -i -L /etc/gbde/md9

In the Editor, alter the "sector_size" line, and exit.

g/sector_size = 512/s//sector_size = 2048/g

NOTE: You should have a /dev/md9.bde device-node.

Invoke the gbde program to attach the image file to the kernel.

masta# gbde attach /dev/md9 -l /etc/gbde/md9

NOTE: You will be prompted for the passphrase.

Format the attached image with UFS2:

masta# newfs -U -O2 /dev/md9.bde

Now mount the md9.bde filesystem to the mount-point we created earlier.

masta# mount /dev/md9.bde /private

Check to make sure everthing worked.

masta# df -h

NOTE: this article was reproduced and minorly reformatted from http://www.ezunix.org/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=67&page=1 and has not been tested for accuracy.

You can automount encrypted partitions with 2 rc.conf variables:

gbde_autoattach_all="YES"
gbde_devices="encrypteddrivedeveicename"