The mumblings of a Christian autistic husband, dad, IT guy and amateur radio operator - Will Brokenbourgh / AF7EC
Wills Notebook: geli encryption on top of mirroring - FreeBSD
I was setting up a customer's computer for server duty (again) and used the following configuration: Two 2TB disks configured as mirrored with encryption on top. This is on FreeBSD 10.2, UFS file-system (ZFS didn't work for this particular setup, unfortunately).
Here is a summary of the setup:
• Disks are identical 2TB SATA drives, named
• Mirrored device will be
• Directory to mount to is
• geli encryption will be used
• We will use 'no passphrase' option so this can be used on an unmonitored server
Warning! If you are doing these steps on a remote
computer, be aware that it will stop booting if there is a problem mounting
the new file-system! Make sure you have physical access to the computer,
or that you have some way to roll the changes back so you don't lose
contact with your computer completely.
Warning! Any existing data on the disks used for this procedure will be completely destroyed!
Warning! When entering commands, be sure to put two > together instead of just one, otherwise you will erase whatever is in the file you're trying to append to!
All commands issued as root:
If disks have been previously used on FreeBSD or another system
gpart destroy -F ada1
gpart destroy -F ada2
(If you get an error about bad parameter, don't worry, it just means this step is not necessary)
While the following is marginally optional, I highly recommend it. It will zero
out any old partition table info as well as old data.
dd if=/dev/zero of=/dev/ada1 bs=1M
dd if=/dev/zero of=/dev/ada2 bs=1M
(If you're really in a hurry, you can add
to the end of the above commands, but it will only wipe the old partition table data)
Load the mirror system
Create mirror label
gmirror label -v md0 /dev/ada1 /dev/ada2
Create the mirror
gpart create -s GPT mirror/md0
Set the mirroring system to load on boot
echo 'geom_mirror_load="YES"' >> /boot/loader.conf
Create a random key file for use with geli encryption
dd if=/dev/random of=/etc/md0.key bs=64 count=1
Initialize the mirrored drives for geli use
-s block size,
-P 'no passphrase',
geli init -s 4096 -P -K /etc/md0.key /dev/mirror/md0
Attach the geli device
-p 'no passphrase',
geli attach -p -k /etc/md0.key /dev/mirror/md0
Create a new UFS file-system on the geli device
Set the boot-time flags for the geli device in
(note that an underscore is used instead of a forward slash for 'mirror/md0')
echo 'geli_mirror_md0_flags="-p -k /etc/md0.key"' >> /etc/rc.conf
Create the directory we're going to mount to
Add the mirrored/encrypted device to
echo '/dev/mirror/md0.eli /disk ufs rw 0 0' >> /etc/fstab
On reboot, everything should work! Any data added to the
/disk directory will be mirrored and encrypted!
If you have any problems or find any inaccuracies, please leave a comment below. Thanks!