From owner-freebsd-geom@FreeBSD.ORG Sun Jan 13 23:15:42 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51F6A16A420 for ; Sun, 13 Jan 2008 23:15:42 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 049FD13C459 for ; Sun, 13 Jan 2008 23:15:40 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d4e.q.ppp-pool.de [89.53.125.78]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 48ECC12883F for ; Sun, 13 Jan 2008 23:42:13 +0100 (CET) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id BA6B93F442 for ; Sun, 13 Jan 2008 23:42:06 +0100 (CET) Message-ID: <478A93BF.4070404@vwsoft.com> Date: Sun, 13 Jan 2008 23:42:07 +0100 From: Volker User-Agent: Thunderbird 2.0.0.9 (X11/20071127) MIME-Version: 1.0 To: freebsd-geom@freebsd.org X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1200868927.77491@PYaVwWKTEjMPV+RrvEIDTw X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Subject: how-to: encryption + journaling (geli + gjournal) X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jan 2008 23:15:42 -0000 For the archives (as I haven't found a nice how-to on this topic): A short how-to to get geli + gjournal running smoothly (the lazy way, depending mostly on OS infrastructure, no script hacking needed). - set up your geli provider: geli load geli init /dev/ad0s1d # check geli(8) for this geli attach /dev/ad0s1d dd if=/dev/random of=/dev/ad0s1d.eli bs=1m # (use higher values bs=... for faster operation) - set up journaling gjournal load gjournal label /dev/ad0s1d.eli newfs -J /dev/ad0s1d.eli.journal /etc/fstab: /dev/ad0s1d.eli.journal /anywhere ufs rw,async,late 2 2 /etc/rc.conf: geli_devices="ad0s1d" geli_ad0s1d_flags="" # depends on how you've setup geli geli_ad0s1d_autodetach="NO" /boot/loader.conf geom_eli_load="YES" geom_journal_load="YES" Warning: If you make a mistake, your machine will go into single user mode on reboot. Don't try this w/o console access. For a desktop machine, using a passphrase is not that bad (beware of key loggers). It's probably not *the* solution for everybody, but isn't that easy to get security and fault tolerance?