Encrypted FreeBSD jail with geli

Encrypted Jail Setup

In progress…

1. Set Global Variables

export JNAME="enjail"
export JDIR="/usr/local/jails/encrypted/$JNAME"
export JID="2"

2. Create Jail Root Folders

mkdir -p $JDIR/mnt
cd $JDIR

3. Create Encrypted Image Disk (2 GB)

dd if=/dev/zero of=$JDIR/$JNAME.img bs=2m count=1024

4. Create Vnode Device

mdconfig -a -t vnode -f $JDIR/$JNAME.img -u $JID

5. Initialize GELI Encryption

  1. Generate a random master key (you’ll be prompted for a passphrase):

    dd if=/dev/random of=$JDIR/$JNAME.key bs=64 count=1

  2. Initialize GELI on the vnode device:

    geli init -K $JDIR/$JNAME.key -s 4096 /dev/md$JID

6. Attach the Encrypted Image

geli attach -k $JDIR/$JNAME.key /dev/md$JID

7. Create Filesystem & Mount

# Wipe the device with random data (optional)
dd if=/dev/random of=/dev/md$JID.eli bs=1m

# Create a new UFS filesystem
newfs /dev/md$JID.eli

# Mount it into your jail directory
mount /dev/md$JID.eli $JDIR/mnt

8. Install FreeBSD Jail

bsdinstall jail $JDIR/mnt

9. Cleanup After Installation

umount -f $JDIR/mnt
geli detach /dev/md$JID.eli
mdconfig -d -u $JID

10. Generate Jail Configuration (/usr/local/jails/encrypted/jail.conf)

# --- Encrypted Jails General Config Start ---
$rootpath      = "/usr/local/jails";
jid            = $id;
path           = "$rootpath/${id}";
host.hostname  = "$hostname";
vnet;
vnet.interface = "epair${id}b";

exec.prestart  = "mdconfig -a -t vnode -f ${jimage} -u ${id}";
exec.prestart += "geli attach -k ${gkey} /dev/md${id}";
exec.prestart += "mkdir -p ${rootpath}/${id}";
exec.prestart += "mount /dev/md${id}.eli ${rootpath}/${id}";
exec.prestart += "mount -t devfs devfs ${rootpath}/${id}/dev";
exec.prestart += "ifconfig epair${id} create";
exec.prestart += "ifconfig epair${id}a up";
exec.prestart += "ifconfig epair${id}a ${jipa}";

exec.start      = "/bin/sh /etc/rc";
exec.start    += "ifconfig epair${id}b ${jipb}";
exec.start    += "route add default ${jgw}";
exec.stop       = "/bin/sh /etc/rc.shutdown";

exec.poststop   = "ifconfig epair${id}a destroy";
exec.poststop  += "umount -f ${rootpath}/${id}/dev";
exec.poststop  += "umount -f ${rootpath}/${id}";
exec.poststop  += "geli detach /dev/md${id}.eli";
exec.poststop  += "mdconfig -d -u ${id}";
exec.clean;
# --- Encrypted Jails General Config Stop ---

# --- Jails Config ---
enjail {
    $id       = 2;
    $jimage   = "/usr/local/jails/encrypted/$name/$name.img";
    $gkey     = "/usr/local/jails/encrypted/$name/$name.key";
    $hostname = "enjail.sof.dachev.lan";
    $jipb     = "10.1.2.2/30";
    $jipa     = "10.1.2.1/30";
    $jgw      = "10.1.2.1";

    allow.raw_sockets;
}

11. Start / Stop the Jail

# Start the jail
jail -f /usr/local/jails/encrypted/jail.conf -c enjail

# Stop the jail
jail -f /usr/local/jails/encrypted/jail.conf -r enjail
Tags: encrypt geli jails freebsd