FreeBSD: Encrpyted ZFS Root with Geli

ZFS is supposed to support encryption, but it does not yet on FreeBSD. In a previous post I wrote about setting up ZFS on FreeBSD where the root file system uses UFS and the rest goes to logical ZFS volumes.

This time I use geli to encrypt a disk partition and use ZFS for the root file system. I encountered a few problems which I’d like to document here.

The FreeBSD Handbook section on encrypted disks show how to set up encrypted disks with geom or geli. However, you cannot use the geli rc-scripts to ask for the passphrase and attach the partition, because we need the partition ready for ZFS which is started by the loader. It needs to be started by the loader, because it shall provide the root file system.

Fortunately, geli can auto-detect encrypted partitions when it is started by the loader. I think it is not possible to use a key-file in this case. At least I could not see how.

I will now show how I set up a new FreeBSD installation with ZFS as the root file system. Following this instruction can and will destroy your data. It can also destroy your data you will put on the newly installed system in the future. I can take no liability.

Firstly, start installing FreeBSD 7.x. Partition the hard disk to have twro partitions. I used 3GB for the first partition which consists of two slices, the first is 1GB for the initial root file system (512MB should be sufficient) and 2GB for swap. The second partition will contain the encrpyted ZFS pool. Continue to install a minimal system.

After the installation is finished initialise the encrypted partition (assuming we want to encrypt ad0s2) and attach it:

# geli init -s 4096 -b /dev/ad0s2
# geli attach /dev/ad0s2

The -b flag will cause geli to ask for the passphrase at start-up.

Now the encrypted partition is ready for ZFS, but I encountered a problem (a bug?). During start-up the the passphrase was not accepted. The problem is that not all charactes I typed where recognized. We will take care of this later (we need a new kernel). For now we use a work-around. Add the following line to /boot/loader.conf

kern.geom.eli.visible_passphrase="1"

ATTENTION: This will show your passphrase when you type it during start-up. This way you will get feed-back what characters got lost.

Create the ZFS pool on the encrypted partition:

# zpool create tank /dev/ad0s2.eli

Edit /etc/rc.conf to enable ZFS:

zfs_enable="YES"

Reboot the system to see if everything works as expected. You should be asked for your passphrase. You will see the passphrase while typing it. After logging in as root you should be able to see that your encrypted partition (ad0s2.eli) is in the ZFS pool by using the following command:

# zpool status

Now you can follow the rest of the instructions for How to install FreeBSD 7.0 under ZFS.

After that is done you probably want to get rid of the passphrase work-around. If you did not have any problems typing in the passphrase, you can simply remove the setting that makes it visible in the /boot/loader.conf Now that we have the space for it, download the FreeBSD sources and create your own kernel configuration with the device dcons removed, which seems to cause the trouble (at least for me). I don’t know why. I just found a discussion where someone mentioned that this might be the problem.