Home arrow Guides arrow Encrypt Your FreeBSD Home Partition with GELI
Encrypt Your FreeBSD Home Partition with GELI PDF
Saturday, 14 June 2008

Sometimes you need to encrypt your home (and maybe swap) partition so it  will not be available until you input a password and/or use a key. For example if your company have valuable data/documents that must be protected from thieves. Other case could be for encryption of Laptops/Notebooks computers which often are lost or stolen.

The downside do this it a decrease of performance of your system.

This tutorial is about encrypting your home partition of a FreeBSD server or desktop, using GELI.

Warning! Before trying this tutorial, backup your data. We are not responsable for your lost data.

Note. If you really are into security you should also consider encrypting swap partition.

Step 1. Install FreeBSD, creating a dedicated home partition

Install FreeBSD standard (usual way) but also create a dedicated partition for /home.
So you will have for example:

/dev/ad0s1a          /        (root partition)
/dev/ad0s1b         swap  (swap partition
/dev/ad0s1d         /var    (var partition)
/dev/ad0s1e         /tmp    (tmp partition)
/dev/ad0s1f         /home  (home partition)
/dev/ad0s1g        /usr      (/usr partition)

Note that ad0s1f is our home partition that we will encrypt. If you already have your system installed without your home partition if you have enough free space on your hard drive you still will be able to create it, or if you you can use a second hard drive for your /home partition. In both cases if you use an already created home partition, backup your data from that partition because it will be lost.

Step 2. Compile FreeBSD kernel with GELI support

Go to your kernel configuration file directory and add lines to support GELI

cd /usr/src/sys/i386/conf/

and add the following lines:

options GEOM_ELI
device crypto

After that recompile the kernel and install the kernel.

cd /usr/src
make -j4 buildkernel KERNCONF=SERVER
make installkernel KERNCONF=SERVER

At this point kernel is compiled and installed with support for GELI. We will not reboot yet the machine, we have other configurations to do in next steps that require reboot, so we will do that later.

If you do not want to recompile the kernel it is possible to load GELI module at boot by adding the following line to your /boot/loader.conf (add the following line only if you do not want to recompile the FreeBSD Kernel):


Step 3. Create a key for your home partition

We will create a directory /etc/geli where we will store our key. Then we will create a random key that will be used for encryption using /dev/random.

mkdir /etc/geli
dd if=/dev/random of=/etc/geli/server.key bs=64 count=1

Step 4. Encrypt partition and create filesystem for it

Now we will backup /home partition and then we will unmount /home partition

umount /dev/ad0s1f

If you get a busy error message, use:

umount -f /dev/ad0s1f

Next we will init the partition for GELI encryption and we will attach the partition using server.key file from /etc/geli directory.

You will be prompted to setup a for a password, fill in your password there:

geli init -l 256 -s 4096 -K /etc/geli/server.key /dev/ad0s1f
(note that -l 256 will setup a 256 key encryption length)

If you want to also specify the encryption algorythm you will use:
geli init -l 128 -e AES-CBC -s 4096 -K /etc/geli/server.key /dev/ad0s1f

After doing geli init command if you get the following error message:
geli: Cannot store metadata on /dev/mirror/gm0s1g: No such file or directory.
then you must shrink your slice (or your last partition, if the partition you want to encrypt is last on hard drive.

geli attach -k /etc/geli/server.key /dev/ad0s1f
(you will use the password you've setup when you've init the partition using geli init)

After this process you now have an encrypted partition.

Only you want to wipe all informations before creating file system for encrypted partition with newfs, you can use the following command:

dd if=/dev/random of=/dev/ad0s1f.eli bs=1m
(Note that it will take long time to wipe all data. If you do not need to wipe previous data, this can be skipped).

We will now create a FreeBSD file system for our newly encrypted partition:

newfs /dev/ad0s1f.eli
(Note that after attaching encrypted partition you can see if the process went ok by looking for a .eli extension for the partition you've wanted to attach using: ls -la /dev/ad0s1f* ).

Now we can mount our newly created partition:

mount /dev/ad0s1f.eli /home

After successfully creating and mounting an encrypted /home partition we can restore /home data, by copying from backup all files/directories to the new /home.

Step 5. Setup /boot/loader.conf parameters for boot time encryption setup
Edit /boot/loader.conf file:

edit /boot/loader.conf

and add the following lines:


And save file loader.conf.

Step 6. Setup /etc/rc.conf GELI parameters

Edit /etc/rc.conf file and add the following lines (edit /etc/rc.conf) :

geli_ad0s1g_flags="-k /etc/geli/server.key"

Step 7. Add a /etc/fstab entry for your encrypted partition
Edit /etc/fstab file (edit /etc/fstab) and add the following line:

/dev/ad6s1f.eli         /home           ufs     rw              2       2

Also if you have a line that mount /home, remove that line.

Step 8. Reboot your machine and test the setup

After reboot during boot process, after FreeBSD kernel boots up you will be prompted for a password. Fill in password you've setup when you've init the /home partition and if you've setup everything right it will finish boot process by mounting all partitions included encrypted /home partition.

More info:
For more info read Encrypting Disk Partition section from FreeBSD's Handbook, available online here:


Also you can read man page for geli(8):

man 8 geli

If you have a VIA CPU that supports hardware encryption you must add the following line to /boot/loader.conf, in order to benefit from that:


To find out if the VIA CPU supports hardware encryption look:

  dmesg | grep "VIA Padlock"

You will get: 'VIA Padlock Features=0xffcc<RNG,AES,AES-CTR,SHA1,SHA256,RSA>'

Then after loading padlock.ko module you will see supported encryptions:

  dmesg | grep padlock
  padlock0: <AES-CBC,SHA1,SHA256> on motherboard

Then you must encrypt your file system with geli using a supported mode by the hardweare, for example AES-CBC, using:
  geli init -l 128 -e AES-CBC -s 4096 -K /etc/geli/server.key /dev/ad0s1f

Important: If you have a Western Digital Green hard drive 4K sector size is not supported so don't use parameter -s 4096 when initializing GELI partition. On FreeBSD 9.x you will not be able then to attach the geli device to that partition/drive giving you an error:

Nov 14 16:26:42 kernel: GEOM: ada2: the secondary GPT table is corrupt or invalid.
Nov 14 16:26:42 kernel: GEOM: ada2: using the primary only -- recovery suggested.

Last Updated ( Monday, 14 November 2011 )
< Prev

Other BSD Systems





Best BSD firewall?