Author: attenboroughp
First of all, this article is taken directly from
http://lizard.org.uk/weblog/The only reason i'm posting it is because this website appears to have been down for some time. I am posting this in the hope that anyone else who needs the guide, and finds that the lizard website is still down, will stumble upon this post. I just thought this guide was too useful 'to let the internet take it".
Here it is:
____________________________________________________________
A GEOM Encrypting filesystemAn itch. Could I create a file on my disk, mount it as a standard UFS filesystem, but have it encrypted. A bit of Googling, and peek at the odd man page and the answer is yes. As ever after the fact it proved to be relatively simple:
Initial mount
First I create a 1GB empty file, then configure and enable the md device:
truncate -s1G /export/encstore.dat
mdconfig -a -t vnode -f /export/encstore.dat
The mdconfig command allocates a unit number to the new device and prints the name of the allocated unit to stdout. In my case this is md0. So now I can initialize and attach this device:
gbde init /dev/md0 -L /etc/md0.lock -P f00b4r
gbde attach /dev/md0 -l /etc/md0.lock -p f00b4r
If I'd failed to specify a pass-phrase I would have been prompted for it. The encrypted device has the suffix .bde, so to create and mount a filesystem it's a simple case of:
newfs /dev/md0.bde
mkdir /encstore
mount /dev/md0.bde /encstore/
Umount and Detatchumount /dev/md0.bde
gbde detach /dev/md0
mdconfig -d -u 0
Attach and mountmdconfig -a -t vnode -f /export/encstore.dat
gbde attach /dev/md0 -l /etc/md0.lock
mount /dev/md0.bde /encstore/
____________________________________________________________
Additional notes by me:
I've tested this on FreeBSD 6.0 RELEASE and it works exactly as it says on the tin. However, if you did a minimal installation of FreeBSD you may find that you are missing components of the system which are necessary to perform the encryption (i.e. GEOM). You will need to install some additional distribution sets to overcome this. I haven't pinned this down to a particular distribution set - sorry! Alternatively you could select something like the canned distribution set "Developer" during a new installation.
