Date: Thu, 27 Feb 2014 06:49:38 +0100 From: "Michael Ross" <gmx@ross.cx> To: "FreeBSD Questions" <freebsd-questions@freebsd.org>, Polytropon <freebsd@edvax.de> Subject: Re: Simple disk encryption for off-site backup Message-ID: <op.xbxeg0p8g7njmm@michael-think> In-Reply-To: <20140227045904.5ba67227.freebsd@edvax.de> References: <20140227045904.5ba67227.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Feb 2014 04:59:04 +0100, Polytropon <freebsd@edvax.de> wrote:
> I'm planning to add a new disk next month to my home setup.
> It should be an external USB disk for off-site (really!)
> backup. That's why I would like to see the content encrypted.
> I have no problem with entering a long passphrase when mounting
> the disk for backup or restore operations, and probably I would
> not feel safe enough by just using keys (stored somewhere).
> The file system will be UFS, so there is no need to worry that
> some other OS or "Windows" would not be able to read it. :-)
>
> My question is: What is the _easiest_ mechanism to initialize
> a disk for encrypted use? It should work with FreeBSD 9 and 10
> in the first place.
>
>
I am using geli for that.
Copied from the man page:
Initialize a provider which is going to be encrypted with a passphrase
and random data from a file on the user's pen drive. Use 4kB sector
size. Attach the provider, create a file system, and mount it. Do
the
work. Unmount the provider and detach it:
# dd if=/dev/random of=/mnt/pendrive/da2.key bs=64 count=1
# geli init -s 4096 -K /mnt/pendrive/da2.key /dev/da2
Enter new passphrase:
Reenter new passphrase:
# geli attach -k /mnt/pendrive/da2.key /dev/da2
Enter passphrase:
# dd if=/dev/random of=/dev/da2.eli bs=1m
# newfs /dev/da2.eli
# mount /dev/da2.eli /mnt/secret
...
# umount /mnt/secret
# geli detach da2.eli
Regards,
Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.xbxeg0p8g7njmm>