Encrypted FreeBSD

HOWTO

by ross at 06:17:14 on September 29, 2013

GEOM ELI

So how do you install encrypted FreeBSD? First, you need a separate unencrypted boot partition (I use UFS for that here). Then you add encryption GEOM layer to a system partition and build your system on top of that. After booting up FreeBSD will ask you the password for the system partition.

For the sake of simplicity the system will be non-mirrored ZFS. But you obviously can adapt the guide to mirrored case, just use <device-name>.eli instead of <device-name> when creating the pool.

If you install mirrored system it will be a good idea to add gmirror to the boot partition too.

Let's start

After booting the DVD choose “Install” path and when asked about partitioning method you prefer select “Shell”.

Create partition table:
# gpart create -s gpt ada0
Create bootcode partition:
# gpart add -b 34 -s 64k -t freebsd-boot ada0
Create boot partition (UFS):
# gpart add -s 1G -t freebsd-ufs -l boot0 ada0
Create swap partition:
# gpart add -s 2G -t freebsd-swap -l swap0 ada0
Create system partition (ZFS):
# gpart add -t freebsd-zfs -l system0 ada0

Boot code:

# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

Boot partition:

# newfs -L bootfs0 /dev/gpt/boot0

Encrypt system partition:

# geli init -b -B /var/tmp/system0 -e AES-XTS -l 256 -s 4096 /dev/gpt/system0
# geli attach /dev/gpt/system0

The pool (named system):

# zpool create -o altroot=/mnt -o cachefile=/var/tmp/zpool.cache system /dev/gpt/system0.eli

The hack to inject the boot partition (the new system is mounted under /mnt):

# mkdir -p /mnt/mnt/bootfs
# mount /dev/gpt/boot0 /mnt/mnt/bootfs
# mkdir /mnt/mnt/bootfs/boot
# cd /mnt
# ln -s mnt/bootfs/boot boot

Create filesystems

Bring network up (em0 is the network interface name):

If you have DHCP just do:
# dhclient em0
If you don't:
# ifconfig em0 up 192.168.10.20/24
# route add default 192.168.10.1
# echo "nameserver 192.168.10.1" > /etc/resolv.conf

Run the ZFS create script:

# cd /tmp
# fetch http://daemon-notes.com/downloads/assets/scripts/zfs-create.sh
# sh zfs-create.sh

Bring the network down (needed for installer to operate properly):

# killall dhclient
# ifconfig em0 down

Finish installation

Type exit and the installer will do its thing. At the end of installation it will ask you if you want to go to shell again, choose so.

Final modifications:

# echo 'geom_eli_load="YES"' >> /boot/loader.conf
# echo 'zfs_load="YES"' >> /boot/loader.conf
# echo 'vfs.root.mountfrom="zfs:system"' >> /boot/loader.conf

# echo 'zfs_enable="YES"' >> /etc/rc.conf

# rm /etc/motd

Edit /etc/fstab:

# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/gpt/swap0          none            swap    sw              0       0
/dev/ufs/bootfs0        /mnt/bootfs     ufs     rw              1       1

Reboot into your new system. Run:

# zfs set readonly=on system/var/empty

 

Comments
I following your tutorial with FreeBSD 11 STABLE

At this point however:

zpool create -o altroot=/mnt -o cachefile=/var/tmp/zpool.cache system /dev/gpt/system0.eli

It will fail to mount the system under the mnt, as I understand this should create a /mnt/system directory automatically but since I'm using the install CD (shell) the whole filesystem is read-only
-- sysres
Thursday, April 27, 2017, 15:48:34