BSD Encryption: Benefits & Setup

TL;DR

BSD operating systems (like FreeBSD and OpenBSD) offer strong encryption features built-in. This guide explains the advantages of BSD’s approach – focusing on simplicity, auditability, and performance – and provides basic setup instructions for disk and file encryption.

Why Choose BSD Encryption?

1. Simplicity: BSD’s encryption tools are often more straightforward than those found in other operating systems. This reduces the chance of misconfiguration and makes auditing easier.
2. Auditability: The source code is freely available, allowing for thorough review and verification of security implementations.
3. Performance: BSD’s kernel-level encryption can be very efficient, minimising performance overhead.
4. Strong Defaults: BSD systems generally favour secure defaults, making it easier to get a strong level of protection out of the box.

Disk Encryption with bioctl (FreeBSD)

FreeBSD uses bioctl for disk encryption. This is typically used during installation but can be applied to existing disks.

1. Identify the Disk: Use

   gpart show

   to list available disks and partitions. Be *very* careful to identify the correct disk; encrypting the wrong one will result in data loss!

2. Create a GPT Partition Table (if needed): If the disk doesn’t have a GPT partition table, create one with

   gpart create -s gpt ada0

   (replace ada0 with your disk identifier).

3. Create an Encrypted Partition: Create an encrypted partition using

   gpart add -t freebsd-ufs -a 4k -c cksm -l mydisk ada0

   . This creates a UFS partition that will be automatically encrypted. Replace ‘mydisk’ with your desired label.

4. Mount the Encrypted Partition: Mount the partition as normal using

   mount /dev/ada0p1 /mnt

   . The system handles decryption transparently.

5. Configure fstab: Add an entry to /etc/fstab to automatically mount the encrypted partition on boot. For example:

   /dev/ada0p1   /mnt   ufs     rw      0       0

File Encryption with gfe (Generic File Encryption)

gfe provides transparent file encryption on FreeBSD. It uses the same underlying cryptographic primitives as disk encryption.

1. Install gfe: Install from ports or packages:

   pkg install gfe

2. Create an Encryption Key: Generate a key using

   gfe -k /path/to/keyfile

   . Securely store this key!

3. Mount the Directory: Mount the directory you want to encrypt:

   gfe -m /path/to/directory -k /path/to/keyfile

4. Access Encrypted Files: Any files created within the mounted directory will be automatically encrypted. When unmounted, the files are inaccessible without the key.
5. Unmount the Directory: Unmount with

   umount /path/to/directory

   .

OpenBSD Encryption

OpenBSD uses softraid(4) for disk encryption, offering similar functionality to FreeBSD’s bioctl. File encryption is also available through gfe.

1. Configure /etc/fstab: OpenBSD’s encryption configuration primarily happens in /etc/fstab. Add a line similar to:

   disk0 /crypto rw softraid(aes,keyfile=/path/to/keyfile)

2. Activate Encryption: Run

   softraid -l disk0

   to activate the encrypted volume.

3. Mount the Volume: Mount the resulting filesystem as normal.

   mount /mnt /crypto/disk0

Important Considerations

• Key Management: Securely store your encryption keys! Losing them means losing access to your data. Consider using a passphrase-protected keyfile or hardware security module (HSM).
• Backups: Always have backups of your encrypted data, even with strong encryption.
• Performance Testing: Test the performance impact of encryption before deploying it in production.
• Regular Audits: Regularly review your encryption configuration and security practices.