Security
Full-Disk Encryption
Section titled “Full-Disk Encryption”omfreebdy supports GELI full-disk encryption at install time. GELI encrypts the ZFS pool at the block device level before the OS boots.
See the FreeBSD Handbook — GELI for setup details.
GELI encryption is configured during installation. It cannot be added to an existing unencrypted pool without reinstalling.
Firewall
Section titled “Firewall”omfreebdy uses pf as the packet filter.
# Check firewall statusservice pf status
# Reload rules after editingservice pf reloadRules are in /etc/pf.conf. A minimal default configuration:
# Block all inbound, allow all outboundblock in allpass out all keep state
# Allow established connectionspass in proto tcp from any to any flags S/SA keep stateEnable at boot:
sysrc pf_enable=YESservice pf startPackage Verification
Section titled “Package Verification”Audit installed packages for known vulnerabilities:
# Check for security advisoriespkg audit -F
# Verify package checksumspkg check --checksumsRun pkg audit regularly or after installing new software.
Sandboxing Untrusted Apps
Section titled “Sandboxing Untrusted Apps”Use sandbox to run untrusted applications in a disposable ZFS-backed FreeBSD jail:
sandbox firefoxsandbox evince ~/Downloads/untrusted.pdfThe jail is destroyed when the process exits. Nothing persists to the host filesystem. See the Sandbox page for details.
Boot Environments as Rollback
Section titled “Boot Environments as Rollback”ZFS boot environments let you roll back a compromised or broken system state without reinstalling:
# Create a snapshot before installing untrusted softwareboot-env create
# Roll back to last known-good stateboot-env rollbackPress ⌘ + Ctrl + S to snapshot the current boot environment.
Password Management
Section titled “Password Management”Bitwarden is included for password management. It runs as a web app via Brave with Wayland clipboard support, plus a CLI for scripting:
# CLI unlock and querybw unlockbw get password mysite.comSee the Bitwarden page for setup.
Screen Locking
Section titled “Screen Locking”hyprlock handles screen locking. hypridle triggers it automatically after inactivity.
# Lock immediatelyhyprlockOr press ⌘ + Ctrl + L .
Idle timeouts are configured in ~/.config/hypr/hypridle.conf. Default: lock after 5 minutes, suspend after 10.
SSH Key Management
Section titled “SSH Key Management”Generate an Ed25519 key:
ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)"Use ssh-agent to avoid repeated passphrase prompts:
eval "$(ssh-agent -s)"ssh-add ~/.ssh/id_ed25519Store passphrases in Bitwarden rather than leaving keys unprotected.