Billy the Martian

I found these instructions here.

Why would you want an encrypted file system?

Well, for starters, if you have to ask, you’re not going to be
impressed by the answer. You’re not the kind of person who wanted
a crypto-decoder ring when you were a kid. (Yes, I’ve got one. Here’s
a picture. Mine’s more dinged up than this one is, though. And yes, it actually says “Digital Decoder Ring” on it. And it really runs Java.)

You might want to keep prying eyes off of your email. You might want
to run an anonymous remailer system, and you want to protect the files on it even if the men in black take
the whole machine away. Heck, maybe you’ve got that one recipe for those
cookies that the lady paid $1000 for, and you want to keep it safe!

0.	Add GEOM_BDE support to the kernel.
	options GEOM_BDE

NOTE: you could also load the kernel module: `kldload /boot/kernel/geom_bde.ko`
1.	Create a few directories. One for lock files, and the other for a mount point.
	# mkdir /private
	# mkdir /etc/gbde

2.	Create an empty images file of 1000Mb.
	# touch /usr/local/cryptfs.img
	# dd if=/dev/zero of=/usr/local/cryptfs.img bs=1024k count=1000

3.	Create a virtual device that points the empty file.
	# mdconfig -a -t vnode -u 9 -f /usr/local/cryptfs.img

4.	Invoke the gbde program on the new virtual device.
	This will ask for a passphrase twice, and open an editor.
	# gbde init /dev/md9 -i -L /etc/gbde/md9

5.	In the Editor, alter the "sector_size" line, and exit.
	g/sector_size = 512/s//sector_size = 2048/g

NOTE: You should have a /dev/md9.bde device-node.

6.	Invoke the gbde program to attach the image file to the kernel.
	# gbde attach /dev/md9 -l /etc/gbde/md9

NOTE: You will be prompted for the passphrase.

7.	Format the attached image with UFS2
	# newfs -U -O2 /dev/md9.bde

8.	Mount the md9.bde filesystem to the mount-point we created earlier.
	# mount /dev/md9.bde /private

9.	Check to make sure everthing worked.
	# df -h