From owner-freebsd-questions@FreeBSD.ORG Sun Aug 31 21:21:25 2014 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 480E0F03 for ; Sun, 31 Aug 2014 21:21:25 +0000 (UTC) Received: from smtp-vbr15.xs4all.nl (smtp-vbr15.xs4all.nl [194.109.24.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D21461BB0 for ; Sun, 31 Aug 2014 21:21:24 +0000 (UTC) Received: from slackbox.erewhon.home (slackbox.xs4all.nl [83.162.243.5]) by smtp-vbr15.xs4all.nl (8.13.8/8.13.8) with ESMTP id s7VLLFZm051352; Sun, 31 Aug 2014 23:21:15 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.erewhon.home (Postfix, from userid 1001) id C54C6123C8; Sun, 31 Aug 2014 23:21:14 +0200 (CEST) Date: Sun, 31 Aug 2014 23:21:14 +0200 From: Roland Smith To: "Littlefield, Tyler" Subject: Re: best solution for encrypting a mountpoint? Message-ID: <20140831212114.GA24207@slackbox.erewhon.home> References: <540341C8.2040003@tysdomain.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-Disposition: inline In-Reply-To: <540341C8.2040003@tysdomain.com> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.23 (2014-03-12) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2014 21:21:25 -0000 --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Aug 31, 2014 at 11:39:52AM -0400, Littlefield, Tyler wrote: > Hello all: > I would like to encrypt my /home directory. Is there a good solution for= =20 > handling this? There is already a partition, so I'd like to unmount it=20 > and somehow set it up so that it will be encrypted. The procedure to do this is as follows, assuming you want to use geli encryption and a UFS filesystem. Note that geli encryption is currently not suited for SSDs since it lacks TRIM support. And you cannot encrypt in situ with gbde or geli. * Make a backup of your data on /home, and verify it! * Unmount /home * The following steps should be run as root. Preferably with no other users logged in (since /home is unmounted). * Fill the /home partition with pseudo-random garbage. This makes cryptanal= ysis harder but mostly ensures that no retrievable data is left. *This will destroy all data on the partition.* *Make sure you have a good backup!*. You should replace with the partition id of your /home. # dd if=3D/dev/random of=3D/dev/ bs=3D1M * Initialize the partition to use gbde or geli. I'm using geli in this example; # geli init -l 256 /dev/ # geli attach /dev/ Choose a strong passphrase. * Now create a new filesystem on the encrypted device; # newfs -U /dev/.eli # mount /dev/.eli /home * Change /etc/fstab to point to the new '.eli' device for the home partitio= n. * Finally you have to restore your data to the new /home filesystem. When the system encounters encrypted devices in /etc/fstab on startup, it w= ill prompt you for the passphrase. Roland --=20 R.F.Smith http://rsmith.home.xs4all.nl/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 5753 3324 1661 B0FE 8D93 FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0) --azLHFNyN32YCQGCU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUA5HKAAoJEED21dyjijPgLbkQALBZIjvEj+2ibS2xO5yhEg5f yOA3Pj2Ptr9UmXH5Da/gGIQjrCZSc27MpbgPcJjay1R9Ru8Qh5CuVBDMlh6ONdjF SigrHu7MF5+FsFEfxEsfACOR/73NA5bmwADpr6XCMId9IUiaXtwjaM9gS2T0n99F 7CsnhhJh/M2QZTci1OZQtEgHggGrbkJAdHXl+B8QQvqaf4gj+90fLZYxvSM43EXs IxiCh2MTYpgjRPMwoVUx3EY46vtIY1QJxFwMGunCavGESlFEg15SyqpGMEh4BhFA 9HdZ2sS7YRPhAO5wH76s6GCxtDVnYs8am5rWOFaWcOQE3UQcUdcVz/zsUPJZAecX 0uXRW+tsg6eI5MvA+b5CsfbJ0ZcPz0klucqmhNiTQAs6lbv2zIyUDulJjlYeM+wS wlyv8ScUEiBDUUE7seA+CPPIOA1SNwPJoKrMrdRw8ou3Wbl68fL0TWrPyfcHmUyB wm4oo9GF0Vj9cyPeH2c1STdyBCd2unfiHbArmsU1H6XznNHNi4+C6xNdCO3z9ekq 1ChCWYENIHg3GJJ78+3UYZeeOyNZHJgH5wCp+5ByhY39I4hmpHWKg6uid5W+Q61b pHWRJDYhulkg3chjrIy/jfhrC3/X81Nd4duAQLfPP07OzKoHUKevk1QX5xaZkaaO D0YaV9Cg/z0tQCGXGKYp =mgJi -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU--