On Wed, Apr 08, 2009 at 07:06:27AM -0700, new_guy wrote: > > Hi guys, > > I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already > have setup. The laptop is up and working fine and I don't want to screw it > up. It have the default partition layout. I've already used geli to encrypt > the swap partition. > > The default partitioning at install creates / /tmp /usr and /var. I thought > I would start with /tmp as I should be able to fix that if I mess up. > > Some questions... > > 1. Will each partition have to be mounted with a password?
If you plan on converting existing partitions to geli-backed, then each one will require its own initialization. It's up to you on whether or not you wish to use the same password/keyfile -- or different ones -- for each. I personally experiment with geli all the time, and for convenience, I have my primary drive prompt for a passord at boot time. Under my encrypted drive, I use key files without password to mount other devices. >From my rc.conf file: geli_devices="ad3" geli_ad3_flags="-p -k /etc/geli/ad3.key" geli_ad3_autodetach="NO" (then the appropriate entry for ad3.eli in my fstab) This would probably be unnacceptable to those who wear tin-foil hats and think the NSA is out to get them, but it sure beats typing in a high-entropy password for each and every device/partition in your system. One potential gotchya: If you your primary device gets hosed (hardware failure, lost password, corruption), then you won't be able to access the other devices since you can't get access to your keys. I *strongly* suggest that you back up your key file(s) -- I keep 2, one on the USB stick that I use to boot my machine, and one on a webmail account (both gpg-encrypted, of course). Don't forget to encrypt swap (described in the handbook, I think). > 2. What's the most straight-forward way to go about this without screwing > up? For someone new to this, it would be far easier to start from scratch. However, in your case, I suggest that you free up a partition to start with (/tmp comes to mind here). Experiment with a few "geli init" incantations in order to get it to prompt for a password at boot time, and then mount the device. Mount it under something like /root2 or /newroot. Then, copy your entire content of / over to the new mountpoint (use tar or rsync, and don't forget to exclude other devices). Once you have that mounting at boot and synced up, you can change the / entry in your current /etc/fstab (make sure the new fstab is correct for the new mounts, too). You system will start booting, and you'll be prompted for a password to unlock the new encrypted device. Then, it'll mount / (the new encrytped device), and once that happens, the old / will be essentially ignored since the new one will be mounted over it, so the new fstab and directory structure will assume control. Once that is working, you can migrate other partitions over, one at a time, until all required devices are encrypted. If you don't want to be prompted for passwords for these other devices, you should use keys instead of passwords and use the rc.conf method I mentioned above. Personally, I'd add a 2nd drive, encrypt it wholesale (ad0.eli), then partition that device in whatever way you wish (/dev/ad0.elia, /dev/ad0.elib, etc. by way of "bsdlabel -w ad0.eli ; bsdlabel -e ad0.eli"). Then mount those partitions under a /newroot tree, then rsync your entire filesystem tree over to that, then switch your fstab to point to the new root. (again, don't forget to correctly edit the *new* fstab after you sync, or you'l be hating life as you try to fix the mess from the boot loader prompt or a recovery disk). Moving everything back to your newly-encrypted old drive will be more difficult. I cut my geli teeth on the following docs: http://nullpointer.dk/2007/06/05/encrypting-a-freebsd-system-using-geli/ http://events.ccc.de/congress/2005/fahrplan/attachments/586-paper_Complete_Hard_Disk_Encryption.pdf There appear to be quite a few more decent tutorials online these days. Just google "freebsd geli encryption". The good news is that many of the methods used for crypto (loading modules from /boot/loader.conf) can be applied to things having gjournal or ZFS running on your root device. In fact, I've run ZFS over geli, and I currently use gjournal over geli. Both work very well. Good luck. -- Geoff _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
