Encrypted FreeBSD


by ross at 20:12:18 on November 12, 2017


So how do you install encrypted FreeBSD? First, you need a separate unencrypted boot partition. Then you add encryption GEOM layer to the system partition and build your system on top of that. After booting up, FreeBSD will ask you the password for the system partition.

Let's start

After booting the DVD choose “Install” path and when asked about partitioning method you prefer select “Shell”.

Create partition table:
# gpart create -s gpt ada0
Create bootcode partition:
# gpart add -s 512k -a 4k -t freebsd-boot ada0
Create boot partition:
# gpart add -s 1G -a 4k -t freebsd-ufs -l boot0 ada0
Create system partition:
# gpart add -a 4k -t freebsd-ufs -l root0 ada0

Boot code:

# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

Boot partition:

# newfs -L bootfs0 /dev/gpt/boot0

Encrypt system partition:

# geli init -b -B /var/tmp/system0 -e AES-XTS -l 256 -s 4096 /dev/gpt/root0
# geli attach /dev/gpt/root0

Root partition:

# newfs -U -L rootfs0 /dev/gpt/root0.eli

Mount partitions:

# mount /dev/gpt/root0.eli /mnt
# mkdir -p /mnt/bootfs
# mount /dev/gpt/boot0 /mnt/bootfs
# cd /mnt
# mkdir bootfs/boot
# ln -s bootfs/boot

Finish installation

Type exit and the installer will do its thing. At the end of installation it will ask you if you want to go to shell again, choose so and then:

# echo 'geom_eli_load="YES"' >> /boot/loader.conf
# echo 'vfs.root.mountfrom="ufs:ada0p3.eli"' >> /boot/loader.conf

Change ada0p3 above to your root partition, using this device naming scheme.

Edit /etc/fstab:

# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/gpt/root0.eli      /               ufs     rw              1       1
/dev/gpt/boot0          /bootfs         ufs     rw              0       0

Reboot into your new system. You can add swap as a file now (described in the Handbook).