How to Enable Disk Encryption at Rest on FreeBSD Operating System

How to Enable Disk Encryption at Rest on FreeBSD Operating System
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  3 minute read  

Securing data at rest is crucial for protecting sensitive information from unauthorized access, especially in environments where security is a priority. FreeBSD provides robust mechanisms for enabling full disk encryption, ensuring that data stored on the system remains protected even if the physical disk is compromised. This guide details how to enable disk encryption at rest on FreeBSD using the GELI framework.

Understanding GELI: FreeBSD’s Encryption Framework

GELI (GEOM ELi) is FreeBSD’s built-in disk encryption system. It supports strong encryption algorithms and key management mechanisms, making it a powerful tool for securing disks. GELI operates at the block level, encrypting data before it is written to disk and decrypting it when read. This ensures that all data on the disk remains encrypted when not in use.

Prerequisites

Before enabling encryption, ensure the following:

  • You have FreeBSD installed and running.
  • You have administrative (root) access.
  • You have backups of any important data.
  • The system is in single-user mode or a live environment for encrypting the root filesystem.
  • The disk or partition you want to encrypt is unmounted.

Steps to Enable Disk Encryption with GELI

1. Load the GELI Kernel Module

GELI is built into FreeBSD, but its module may not be loaded by default. To load it manually, run:

kldload geom_eli

To ensure it loads automatically at boot, add the following line to /boot/loader.conf:

geom_eli_load="YES"

2. Identify the Target Disk

Use gpart or lsblk to list available disks and partitions:

gpart show

3. Initialize the Disk with GELI

To encrypt a partition (e.g., /dev/ada1p1), first initialize it with GELI:

geli init -b -s 4096 -e AES-XTS -l 256 /dev/ada1p1

Explanation of flags:

  • -b: Enables boot support if encrypting the root filesystem.
  • -s 4096: Specifies sector size (4096 bytes recommended).
  • -e AES-XTS: Uses AES-XTS encryption (a secure mode for disk encryption).
  • -l 256: Uses a 256-bit key.

You will be prompted to set a passphrase.

4. Attach the Encrypted Disk

After initialization, attach the encrypted device:

geli attach /dev/ada1p1

This command will prompt for the passphrase set earlier. If entered correctly, a new device /dev/ada1p1.eli will be created.

5. Create a Filesystem

Once the encrypted device is attached, create a new filesystem:

newfs -U /dev/ada1p1.eli

6. Mount the Encrypted Filesystem

Mount the encrypted partition to use it:

mount /dev/ada1p1.eli /mnt

7. Configure Automatic Decryption at Boot (Optional)

For non-root partitions, configure /etc/fstab to mount the encrypted device at boot:

/dev/ada1p1.eli   /mnt   ufs   rw   2   2

To automate decryption at boot, store a keyfile instead of using a passphrase interactively:

  1. Generate a keyfile:

    dd if=/dev/random of=/root/geli.key bs=64 count=1
chmod 600 /root/geli.key

  2. Reinitialize GELI with the keyfile:

geli init -s 4096 -e AES-XTS -l 256 -K /root/geli.key /dev/ada1p1


3. Modify `/etc/rc.conf` to include:

```sh
geli_devices="ada1p1"
geli_ada1p1_flags="-k /root/geli.key"

8. Encrypting the Root Filesystem

If you want to encrypt the root filesystem, follow these additional steps:

  1. Boot into a FreeBSD live environment.
  2. Identify the root partition.
  3. Use the GELI encryption method as described above.
  4. Modify /etc/fstab and /boot/loader.conf accordingly.
  5. Ensure geom_eli_load="YES" is added to /boot/loader.conf.
  6. Use a separate /boot partition that remains unencrypted.

9. Testing the Encrypted Setup

After rebooting, verify that the encrypted disk is functioning properly:

geli list
mount | grep ada1p1

If everything is correctly set up, your encrypted partition should be listed and accessible after decryption.

Conclusion

Enabling disk encryption at rest on FreeBSD using GELI is a straightforward process that significantly enhances data security. By following these steps, you can ensure that your sensitive information remains protected even if the physical disk falls into the wrong hands. Proper key management and backups are essential to maintaining access and avoiding data loss. For enterprise environments, consider integrating GELI with additional security measures such as TPM (Trusted Platform Module) or hardware security modules (HSM) for enhanced key management.


< How to Configure AppArmor/SELinux EquivalentsHow to Perform a Security Compliance Check >