Autoattach / automount encrypted home partition in FreeBSD using GBDE

I’ve just set up one of my laptops, running FreeBSD, so that /home is encrypted using GBDE, and is auto-attached/mounted/fsck’d at boot time. The instructions in the FreeBSD handbook aren’t completely clear, so here are some notes on how I did it.

Actually, most of those instructions are very clear, provided you don’t care about attaching at boot time. Indeed, I’ve had an encrypted partition which I attach/detach by hand, for about a year now, for which those instructions were perfectly adequate. Unfortunately, the section on “Automatically Mounting Encrypted Partitions” leaves out two important details which conflict with the rest of the chapter: your lock file’s name needs to end in the text “.lock”, and you need to be careful where you put it. This was confusing, and in some ways what you have to do to get automounting working contradicts the other examples in the chapter.

Anyway, long story short, I had to dig into /etc/rc.d/gbde to work out what had to be done, and here it is… A summary of how to set up an auto-attaching encrypting home partition on FreeBSD using GBDE:

(I did this as pretty much the first thing after a fresh install, before I’d even created any users. Needless to say, then, all of this happens as root.)

Here’s how /etc/fstab looked before I started:

# cat /etc/fstab
# Device        Mountpoint         FStype    Options   Dump Pass#
/dev/ad0s1b     none               swap      sw        0    0
/dev/ad0s1a     /                  ufs       rw        1    1
/dev/ad0s1e     /tmp               ufs       rw        2    2
/dev/ad0s1f     /usr               ufs       rw        2    2
/dev/ad0s1g     /usr/home          ufs       rw        2    2
/dev/ad0s1d     /var               ufs       rw        2    2
/dev/acd0       /cdrom             cd9660    ro,noauto 0    0

Unmount /home because I’m about to blat it completely:

# umount /usr/home

Create a directory to contain the lock files:

# mkdir /etc/gbde

Initialise the partition for GBDE. I used a use sector size of 2048 (which matches the UFS fragment size). Note that the lock file’s name ends in .lock; this is not how the main body of the GBDE instructions in the handbook does it, but it’s necessary to get /etc/rc.d/gbde to attach it properly on boot up:

# gbde init /dev/ad0s1g -i -L /etc/gbde/ad0s1g.lock
Enter new passphrase:
Reenter new passphrase: 

Attach the encrypted partition to the kernel for the first time (entering the passphrase previously specified), and write the filesystem:

# gbde attach /dev/ad0s1g -l /etc/gbde/ad0s1g.lock
Enter passphrase: 
# newfs -U /dev/ad0s1g.bde 
/dev/ad0s1g.bde: 6632.5MB (13583360 sectors) block size 16384,
                 fragment size 2048 using 37 cylinder groups of
                 183.77MB, 11761 blks, 23552 inodes.  with soft
                 updates
super-block backups (for fsck -b #) at:
 160, 376512, 752864, 1129216, 1505568, 1881920, 2258272, 2634624,

*SNIP*

Test the mount:

# mount /dev/ad0s1g.bde /usr/home

Assuming that looks good (eg in df), unmount it and detach it:

# umount /usr/home
# gbde detach /dev/ad0s1g

Now we’re ready to set it up for auto-attaching. We need to alter /etc/rc.conf and /etc/fs.tab

# tail -n 3 /etc/rc.conf
gbde_autoattach_all="YES"
gbde_lockdir="/etc/gbde"
gbde_devices="ad0s1g"

We need the gbde_lockdir line because otherwise it looks for the lock files just in /etc, I think.

# grep home /etc/fstab
/dev/ad0s1g.bde /usr/home          ufs       rw        2    2

Now when I boot, it asks for the passphrase, attaches the encrypted partition, and mounts it – automatically – then it gets fsck’d with everything else. It doesn’t automatically detach upon halting the system, but I guess that’s no problem. :-)

The only thing I don’t totally like is that if I get the passphrase wrong (3 times), it doesn’t attach or mount the encrypted partition (obviously), but then of course it fails filesystem checks completely and the boot process dumps down to single user mode, messily. Not completely unreasonable, I guess, but still a bit annoying.

Anyway, anyone now stealing my (crappy) laptop will have a much harder time of getting at the data on it (the interesting data, anyway). Whee!

3 Responses to “Autoattach / automount encrypted home partition in FreeBSD using GBDE”

  1. jack
    October 8th, 2007 | 10:35 pm

    how would you go about encrypting swap in this manner?

  2. October 9th, 2007 | 10:27 am

    Jack: I don’t know, and I’ve stopped using FreeBSD since I wrote the above… Sorry!

  3. James Colannino
    February 4th, 2010 | 7:34 pm

    Hi there. I’m writing this 3 years after you posted this, so it may not matter, but I thought I should add instructions for what to do in the case of software RAID. I followed your guide, with the following command to initialize my software RAID partition for GBDE:

    gbde init /dev/mirror/gm0s1a -i -L /etc/gbde/gm0s1a.lock

    I rebooted after following your other instructions, and it did ask me for my password. Unfortunately, it failed to auto-attach. Puzzled, I opened up the init script, did some tweaking to see what values it was expecting, and attempted to run it again. Turns out, it was looking for a lock file of /etc/gbde/mirror_gm0s1a.lock.

    So, I reran the command above with /etc/gbde/mirror_gm0s1a.lock, and voila, it works! Just wanted to post this in case it helps anyone out.