Geli Harddisk Encryption

On the following page, I explain how to implement harddisk encryption with Geli.

Replacing a Harddisk

Here, we explain how to move from an old disk to a new one using UFS.

# gpart destroy ada2

# gpart create -s gpt ada2

# gpart add -t freebsd-boot -l otrsboot -b 40 -s 512k -a 4k ada2

# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada2

# gpart add -t freebsd-ufs -l otrsrootfs -b 1M -s 10G -a 4k ada2

# gpart add -t freebsd-swap -l otrsswap -s 16G -a 4k ada2

# gpart add -t freebsd-ufs -l otrsvarfs -s 2G -a 4k ada2

# gpart add -t freebsd-ufs -l otrstmpfs -s 500M -a 4k ada2

# gpart add -t freebsd-ufs -l otrsjotrs -s 100G -a 4k ada2

# gpart add -t freebsd-ufs -l otrsjworkstation -s 100G -a 4k ada2

# gpart add -t freebsd-ufs -l otrsjails -s 100G -a 4k ada2

# gpart add -t freebsd-ufs -l otrsusrfs-a 4k ada2

# gpart show -l da0

# newfs -U /dev/gpt/otrsrootfsnewfs -U /dev/gpt/otrsvarfs

# newfs -U /dev/gpt/otrstmpfs

# newfs -U /dev/gpt/otrsjotrs

# newfs -U /dev/gpt/otrsjworkstation

# newfs -U /dev/gpt/otrsjails

# newfs -U /dev/gpt/otrsusrfs

Mount all partitions in the right places and copy the old stuff to the new disk:

# tar czpf - / | tar xzf -

Auditing can be pretty useful. Turn it on by passing the following command:

# echo auditd_enable=\"YES\" >> /etc/rc.conf

See the Handbook chapter for further information.

Some Hardening Topics

Some things to remember – unfortunately far from being complete.


Lowest: -1, Highest: 3

Set to highest:

# echo kern_securelevel_enable=\"YES\" >> /etc/rc.conf

# echo kern_securelevel=3 >> /etc/rc.conf

Open Ports

Check for open ports using

# sockstat -4

# sockstat -6


In /usr/X11R6/bin/startx add argument such that

serverargs="-nolisten tcp"

Check with sockstat, whether the open port 6000 has disappeared.


If you don't need logging from remote machines, change the /etc/rc.conf file by typing

# echo syslogd_enable=\"YES\" >> /etc/rc.conf

# echo syslogd_flags=\"-ss\" >> /etc/rc.conf

Clear \tmp

To clear the \tmp directory at startup do

# echo clear_tmp_enable=\"YES\" >> /etc/rc.conf

Prevent Remote Login

To prevent all remote login and allow only physical login change /etc/login.access to allow