In progress ..
Set global vars
export JNAME="enjail" export JDIR="/usr/local/jails/encrypted/$JNAME" export JID="2"
Create jail root folders
mkdir -p $JDIR/mnt cd $JDIR
Create encrypted img disk (2G)
dd if=/dev/zero of=$JDIR/$JNAME.img bs=2m count=1024
Create vnode device
mdconfig -a -t vnode -f $JDIR/$JNAME.img -u $JID
Generate geli master key (will ask for master key password) and init the encryption
dd if=/dev/random of=$JDIR/$JNAME.key bs=64 count=1 geli init -K $JDIR/$JNAME.key -s 4096 /dev/md$JID
Attach the encrypted img with the Generated Key
geli attach -k $JDIR/$JNAME.key /dev/md$JID
Create the New File System and mount it
dd if=/dev/random of=/dev/md$JID.eli bs=1m newfs /dev/md$JID.eli mount /dev/md$JID.eli $JDIR/mnt
Install FreeBSD jail
bsdinstall jail $JDIR/mnt
Clear and umount after jail installation finish
umount -f $JDIR/mnt geli detach /dev/md$JID.eli mdconfig -d -u $JID
Generate jail config file
# create main jail config ee /usr/local/jails/encrypted/jail.conf # --- encrypted jails general config start --- $rootpath = "/usr/local/jails"; jid = $id; path = "$rootpath/${id}"; host.hostname = "$hostname"; vnet; vnet.interface = "epair${id}b"; exec.prestart = "mdconfig -a -t vnode -f ${jimage} -u ${id}"; exec.prestart += "geli attach -k ${gkey} /dev/md${id}"; exec.prestart += "mkdir -p ${rootpath}/${id}"; exec.prestart += "mount /dev/md${id}.eli ${rootpath}/${id}"; exec.prestart += "mount -t devfs devfs ${rootpath}/${id}/dev"; exec.prestart += "ifconfig epair${id} create"; exec.prestart += "ifconfig epair${id}a up"; exec.prestart += "ifconfig epair${id}a ${jipa}"; exec.start = "/bin/sh /etc/rc"; exec.start += "ifconfig epair${id}b ${jipb}"; exec.start += "route add default ${jgw}"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.poststop = "ifconfig epair${id}a destroy"; exec.poststop += "umount -f ${rootpath}/${id}/dev"; exec.poststop += "umount -f ${rootpath}/${id}"; exec.poststop += "geli detach /dev/md${id}.eli"; exec.poststop += "mdconfig -d -u ${id}"; exec.clean; # --- encrypted jails general config stop --- # --- jails config --- enjail { $id = 2; $jimage = "/usr/local/jails/encrypted/$name/$name.img"; $gkey = "/usr/local/jails/encrypted/$name/$name.key"; $hostname = "enjail.sof.dachev.lan"; $jipb = "10.1.2.2/30"; $jipa = "10.1.2.1/30"; $jgw = "10.1.2.1"; allow.raw_sockets; }
Start / Stop jail
# start jail -f /usr/local/jails/encrypted/jail.conf -c enjail # stop jail -f /usr/local/jails/encrypted/jail.conf -r enjail