NOTE: This is an older article, so the information provided may no longer be accurate.

Wills Notebook: geli encryption on top of mirroring - FreeBSD

I was setting up a customer's computer for server duty (again) and used the following configuration: Two 2TB disks configured as mirrored with encryption on top. This is on FreeBSD 10.2, UFS file-system (ZFS didn't work for this particular setup, unfortunately).

Here is a summary of the setup:
  • Disks are identical 2TB SATA drives, named /dev/ada1 and /dev/ada2
  • Mirrored device will be /dev/mirror/md0 (md0)
  • Directory to mount to is /disk
  • geli encryption will be used
  • We will use 'no passphrase' option so this can be used on an unmonitored server

Warning! If you are doing these steps on a remote computer, be aware that it will stop booting if there is a problem mounting the new file-system! Make sure you have physical access to the computer, or that you have some way to roll the changes back so you don't lose contact with your computer completely.

Warning! Any existing data on the disks used for this procedure will be completely destroyed!

Warning! When entering commands, be sure to put two > together instead of just one, otherwise you will erase whatever is in the file you're trying to append to!


All commands issued as root:

Mirroring tasks

If disks have been previously used on FreeBSD or another system
    gpart destroy -F ada1
    gpart destroy -F ada2
    (If you get an error about bad parameter, don't worry, it just means this step is not necessary)

While the following is marginally optional, I highly recommend it. It will zero out any old partition table info as well as old data.
    dd if=/dev/zero of=/dev/ada1 bs=1M
    dd if=/dev/zero of=/dev/ada2 bs=1M
    (If you're really in a hurry, you can add count=1 to the end of the above commands, but it will only wipe the old partition table data)

Load the mirror system
    gmirror load

Create mirror label
    gmirror label -v md0 /dev/ada1 /dev/ada2

Create the mirror
    gpart create -s GPT mirror/md0

Set the mirroring system to load on boot
    echo 'geom_mirror_load="YES"' >> /boot/loader.conf

Encryption tasks

Create a random key file for use with geli encryption
    dd if=/dev/random of=/etc/md0.key bs=64 count=1

Initialize the mirrored drives for geli use
    (-s block size, -P 'no passphrase', -K <file> key file)
    geli init -s 4096 -P -K /etc/md0.key /dev/mirror/md0

Attach the geli device
    (-p 'no passphrase', -k <file> key file)
    geli attach -p -k /etc/md0.key /dev/mirror/md0

Create a new UFS file-system on the geli device
    newfs /dev/mirror/md0.eli

Set the boot-time flags for the geli device in /etc/rc.conf
    (note that an underscore is used instead of a forward slash for 'mirror/md0')
    echo 'geli_mirror_md0_flags="-p -k /etc/md0.key"' >> /etc/rc.conf

Create the directory we're going to mount to
    mkdir /disk

Add the mirrored/encrypted device to /etc/fstab
    echo '/dev/mirror/md0.eli /disk ufs rw 0 0' >> /etc/fstab

Reboot! :)

On reboot, everything should work!  smile Any data added to the /disk directory will be mirrored and encrypted!

If you have any problems or find any inaccuracies, please leave a comment below. Thanks!


God loves geeks too!
Why Jesus?


Post A Comment

Your name:

Your e-mail address: (Will not be seen or used by anyone else but me)

To help cut down on spam, what do you get when you add two and four?:

Please type your message below: (Please limit message to less than 1,000 characters)

By submitting your comment, you consent to me posting it on my site

All submissions are moderated before being posted

My Story   |   Web Server Probes   |   Today God is First!   |   Autism
This page should pass HTML validation. Standards-compliance is important to me.