How to Encrypt Disks with GELI on FreeBSD Operating System

Disk encryption is a crucial security measure that protects sensitive data from unauthorized access. FreeBSD, a robust and performance-oriented UNIX-like operating system, provides the GEOM ELi (GELI) framework for encrypting entire disk partitions. This article provides a step-by-step guide on how to encrypt disks using GELI on FreeBSD.

Understanding GELI

GELI is FreeBSD’s native disk encryption framework, integrated into the GEOM storage subsystem. It supports multiple encryption algorithms, key management options, and cryptographic hardware acceleration. GELI provides full-disk encryption, protecting data even if the storage device is physically removed.

Prerequisites

Before proceeding with GELI encryption, ensure that:

• You have administrative (root) access to the FreeBSD system.
• You have a backup of any important data on the target disk.
• You have installed FreeBSD with the necessary utilities.
• The disk you intend to encrypt is unmounted and not in use.

Step 1: Load the GELI Kernel Module

By default, GELI may not be loaded into the kernel. To ensure GELI is available, load it manually:

# kldload geom_eli

To ensure the module loads at boot, add the following line to /boot/loader.conf:

geom_eli_load="YES"

Step 2: Identify the Target Disk

List available disks using:

# gpart show

This command displays the partition layout. Identify the disk or partition you wish to encrypt, such as /dev/ada1.

Step 3: Initialize the Disk with GELI

To encrypt a disk, initialize it with GELI. This process wipes existing data, so ensure you have backups.

# geli init -s 4096 -K /root/geli.key /dev/ada1

Explanation of Options

• -s 4096: Sets the sector size to 4096 bytes (adjust based on your storage requirements).
• -K /root/geli.key: Specifies an additional key file for authentication.
• /dev/ada1: The target disk.

GELI prompts for a passphrase. Choose a strong passphrase and store it securely.

Step 4: Attach the Encrypted Disk

Once initialized, attach the encrypted device:

# geli attach -k /root/geli.key /dev/ada1

This command prompts for the passphrase and creates a virtual device /dev/ada1.eli, which represents the decrypted storage.

Step 5: Create a Filesystem

With the encrypted device ready, format it with a suitable filesystem, such as UFS:

# newfs -U /dev/ada1.eli

For ZFS, use:

# zpool create encryptedpool /dev/ada1.eli

Step 6: Mount the Encrypted Filesystem

To mount the newly encrypted partition:

# mkdir /mnt/encrypted
# mount /dev/ada1.eli /mnt/encrypted

For ZFS:

# zfs set mountpoint=/mnt/encrypted encryptedpool

Step 7: Configure Automatic Decryption at Boot (Optional)

If you need the encrypted disk to be available after reboot, configure GELI to automatically attach it:

1. Add an entry to /etc/fstab:

   /dev/ada1.eli    /mnt/encrypted    ufs    rw    0    0
   

2. Store the key securely and ensure it is available during boot:

   # echo "ada1 /root/geli.key" >> /etc/rc.conf
   

Alternatively, manually attach and mount the disk after reboot.

Step 8: Detach the Encrypted Disk

To unmount and detach the encrypted device when not in use:

# umount /mnt/encrypted
# geli detach /dev/ada1.eli

This prevents access to the data until it is re-attached with the correct key and passphrase.

Security Considerations

• Passphrase Strength: Use a strong, complex passphrase to protect against brute-force attacks.
• Key Management: Store key files securely and consider using hardware security modules for key storage.
• Backup Strategy: Keep backups of unencrypted data in a secure location in case of corruption or key loss.
• Performance Impact: Encrypting a disk can slightly reduce performance, but using hardware encryption acceleration (e.g., AES-NI) minimizes this impact.

Conclusion

Encrypting disks with GELI on FreeBSD is a robust way to protect sensitive data. By following these steps, you can secure your storage effectively while maintaining usability. Ensure you manage keys and passphrases responsibly, and consider automation options if the encrypted storage needs to be available at boot.

By implementing disk encryption, you enhance security and mitigate risks associated with data breaches or physical theft of storage devices. FreeBSD’s GELI provides a powerful and flexible solution for full-disk encryption, making it an excellent choice for securing critical data.