From owner-freebsd-questions@FreeBSD.ORG  Fri Jan  9 23:38:08 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 01DDC411
 for <freebsd-questions@freebsd.org>; Fri,  9 Jan 2015 23:38:08 +0000 (UTC)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com
 [IPv6:2a00:1450:400c:c00::232])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 88AD6EC0
 for <freebsd-questions@freebsd.org>; Fri,  9 Jan 2015 23:38:07 +0000 (UTC)
Received: by mail-wg0-f50.google.com with SMTP id a1so10654348wgh.9
 for <freebsd-questions@freebsd.org>; Fri, 09 Jan 2015 15:38:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=2FhiCAvYZNCuMEmv2lIcYtX4S8QNfB+FOuPbCPbgLIA=;
 b=MGuO8snEnzFGKSEXTgvWGISfqUzFoREUaZxbR4PL9mfkJ6d8nayifqueryuvTawuog
 /aev4Wz/30b4q4DVue6kk4P9Dc3Y4WZBUm6soS8D8IKXtq6A/ihmEFLWWQmEXO7dwbpn
 djkAp5b7U4wL2mPdLOdstsOeLl8kQytlTSGuQlkcktnMN3JNJYuTaUYxZEbSoFEOk9qi
 LGLHd8Sf6BqbFAYdkWi51K/eylsmwGNKR8QyOydhrIXzaHVDK8D+iKEfwAOO8zXVl3ol
 rgoOhri4flNNSCEpPm4y+5m7KbwxAFL0d9vZRmXbYmq1SvDkpWlRNfHbbw4IyznmF2Sn
 S1+g==
MIME-Version: 1.0
X-Received: by 10.180.76.239 with SMTP id n15mr9563264wiw.66.1420846685591;
 Fri, 09 Jan 2015 15:38:05 -0800 (PST)
Received: by 10.194.241.132 with HTTP; Fri, 9 Jan 2015 15:38:05 -0800 (PST)
In-Reply-To: <54AFE53C.5050508@e-safeguard.pl>
References: <54AFE53C.5050508@e-safeguard.pl>
Date: Sat, 10 Jan 2015 07:38:05 +0800
Message-ID: <CAOc73CAoX6zJ1VgVeEfsw7HNBE1fvhKL-aDN3OUBCdgU1t0b5Q@mail.gmail.com>
Subject: Re: custom full disk encryption with ZFS
From: Ben Woods <woodsb02@gmail.com>
To: Patryk Hanckowiak <patryk.hanckowiak@e-safeguard.pl>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jan 2015 23:38:08 -0000

> Is there a resource that shows how to create a custom full disk encryption
> with ZFS, something similar to LVM on LUKS in Linux?
>

I use geli(8), which is documented here (scroll down past the
alternative gdbe option unless that interests you):
https://www.freebsd.org/doc/handbook/disks-encrypting.html

As per the previous response, you will need to keep /boot unencrypted to
allow freebsd to boot, but the rest of the disk can be encrypted with geli,
and zfs running on top of geli.

I actually use it slightly differently. Since I don't care about encrypting
my operating system files, i keep my data storage on a separate partition
or disk, which is encrypted with geli with zfs on top.


-- 

--
From: Benjamin Woods
woodsb02@gmail.com