Date: Sun, 31 Aug 2014 23:21:14 +0200 From: Roland Smith <rsmith@xs4all.nl> To: "Littlefield, Tyler" <tyler@tysdomain.com> Cc: questions@freebsd.org Subject: Re: best solution for encrypting a mountpoint? Message-ID: <20140831212114.GA24207@slackbox.erewhon.home> In-Reply-To: <540341C8.2040003@tysdomain.com> References: <540341C8.2040003@tysdomain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Aug 31, 2014 at 11:39:52AM -0400, Littlefield, Tyler wrote:
> Hello all:
> I would like to encrypt my /home directory. Is there a good solution for=
=20
> handling this? There is already a partition, so I'd like to unmount it=20
> and somehow set it up so that it will be encrypted.
The procedure to do this is as follows, assuming you want to use geli
encryption and a UFS filesystem. Note that geli encryption is currently not
suited for SSDs since it lacks TRIM support. And you cannot encrypt in situ
with gbde or geli.
* Make a backup of your data on /home, and verify it!
* Unmount /home
* The following steps should be run as root. Preferably with no other users
logged in (since /home is unmounted).
* Fill the /home partition with pseudo-random garbage. This makes cryptanal=
ysis
harder but mostly ensures that no retrievable data is left. *This will
destroy all data on the partition.* *Make sure you have a good backup!*.
You should replace <home-partition> with the partition id of your /home.
# dd if=3D/dev/random of=3D/dev/<home-partition> bs=3D1M
* Initialize the partition to use gbde or geli. I'm using geli in this
example;
# geli init -l 256 /dev/<home-partition>
# geli attach /dev/<home-partition>
Choose a strong passphrase.
* Now create a new filesystem on the encrypted device;
# newfs -U /dev/<home-partition>.eli
# mount /dev/<home-partition>.eli /home
* Change /etc/fstab to point to the new '.eli' device for the home partitio=
n.
* Finally you have to restore your data to the new /home filesystem.
When the system encounters encrypted devices in /etc/fstab on startup, it w=
ill
prompt you for the passphrase.
Roland
--=20
R.F.Smith http://rsmith.home.xs4all.nl/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 5753 3324 1661 B0FE 8D93 FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0)
--azLHFNyN32YCQGCU
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBAgAGBQJUA5HKAAoJEED21dyjijPgLbkQALBZIjvEj+2ibS2xO5yhEg5f
yOA3Pj2Ptr9UmXH5Da/gGIQjrCZSc27MpbgPcJjay1R9Ru8Qh5CuVBDMlh6ONdjF
SigrHu7MF5+FsFEfxEsfACOR/73NA5bmwADpr6XCMId9IUiaXtwjaM9gS2T0n99F
7CsnhhJh/M2QZTci1OZQtEgHggGrbkJAdHXl+B8QQvqaf4gj+90fLZYxvSM43EXs
IxiCh2MTYpgjRPMwoVUx3EY46vtIY1QJxFwMGunCavGESlFEg15SyqpGMEh4BhFA
9HdZ2sS7YRPhAO5wH76s6GCxtDVnYs8am5rWOFaWcOQE3UQcUdcVz/zsUPJZAecX
0uXRW+tsg6eI5MvA+b5CsfbJ0ZcPz0klucqmhNiTQAs6lbv2zIyUDulJjlYeM+wS
wlyv8ScUEiBDUUE7seA+CPPIOA1SNwPJoKrMrdRw8ou3Wbl68fL0TWrPyfcHmUyB
wm4oo9GF0Vj9cyPeH2c1STdyBCd2unfiHbArmsU1H6XznNHNi4+C6xNdCO3z9ekq
1ChCWYENIHg3GJJ78+3UYZeeOyNZHJgH5wCp+5ByhY39I4hmpHWKg6uid5W+Q61b
pHWRJDYhulkg3chjrIy/jfhrC3/X81Nd4duAQLfPP07OzKoHUKevk1QX5xaZkaaO
D0YaV9Cg/z0tQCGXGKYp
=mgJi
-----END PGP SIGNATURE-----
--azLHFNyN32YCQGCU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140831212114.GA24207>