====== FreeBSD Encrypted Drive ======

  * [[FreeBSD]]
  * [[geli]]

Creating and mounting an encrypted UFS2 filesystem is very easy to do, and it can be automatically unlocked during boot and have a filesystem check run (fstab).

=== Load kernel module on boot ===

<code>
echo geom_eli_load="YES" >> /boot/loader.conf
</code>

=== Create an Encrypted Device ===

Create a passphrase key.  Make a backup copy of it somewhere to be safe.

<code>
dd if=/dev/random bs=64 count=1 of=/root/ada1.key
geli init -s 4096 -K ada1.key /dev/ada1
</code>

Unlock the encrypted drive.  This will create the device ''/dev/ada1.eli'':

<code>
geli attach -k ada1.key /dev/ada1
</code>

Fill the new volume with random data:

<code>
dd if=/dev/random bs=1M of=/dev/ada1.eli
</code>

Format the new volume as UFS2:

<code>
newfs -U /dev/ada1.eli
</code>

After that you can mount it as normal.  Add an entry to ''fstab'':

<code>
echo "/dev/ada1.eli /private ufs rw 1 1" >> /etc/fstab
</code>

=== Unmount an Encrypted Device ===

Unmount and detach encrypted volume:

<code>
umount /private
geli detach ada1.eli
</code>

=== Mount Encrypted Device on Boot ===

Add to ''/etc/rc.conf'':

<code>
geli_devices="ada1"
geli_ada1_flags="-k /root/ada1.key"
</code>

On bootup, FreeBSD will ask for the passphrase.