Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Nov 2014 00:44:29 +0100
From:      lnrt <lnrt80@openmailbox.org>
To:        freebsd-questions@freebsd.org
Subject:   Full disk encryption on FreeBSD =?UTF-8?Q?=31=30=2E=31-RELEASE=3F?=
Message-ID:  <72aee80c9f26982088d6b2e018744c91@openmailbox.org>
next in thread | raw e-mail | index | archive | help 
While installing a FreeBSD 10.1-RELEASE system I want to use UFS and 
encrypt the entire disk. I select "Open a shell and partition by hand" 
and follow these steps:

====================
# gpart destroy -F ada0

# gpart create -s gpt ada0

# gpart add -t freebsd-boot -s 512k -a 4k ada0
# gpart add -t freebsd-ufs -l boot -s 1g -a 1m ada0
# gpart add -t freebsd-ufs -l encrypted -a 1m ada0

# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

# geli init -b -l 256 -s 4096 ada0p3
# geli attach ada0p3

# newfs -U /dev/ada0p2
# newfs -U /dev/ada0p3.eli

# mount /dev/ada0p3.eli /mnt
# mkdir /mnt/unencrypted
# mount /dev/ada0p2 /mnt/unencrypted
# mkdir /mnt/unencrypted/boot
# ln -s unencrypted/boot /mnt/boot

# vi /tmp/bsdinstall_etc/fstab

/dev/ada0p2     /unencrypted   ufs     rw,noatime   1   1
/dev/ada0p3.eli /              ufs     rw,noatime   2   2

# vi /tmp/bsdinstall_boot/loader.conf

geom_eli_load="YES"
vfs.root.mountfrom="ufs:ada0p3.eli"

# exit
====================

This work as expected, but I would like to avoid /boot being a symlink 
to /unencrypted/boot so I have tried this:

====================
# gpart destroy -F ada0

# gpart create -s gpt ada0

# gpart add -t freebsd-boot -s 512k -a 4k ada0
# gpart add -t freebsd-ufs -l boot -s 1g -a 1m ada0
# gpart add -t freebsd-ufs -l encrypted -a 1m ada0

# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

# geli init -b -l 256 -s 4096 ada0p3
# geli attach ada0p3

# newfs -U /dev/ada0p2
# newfs -U /dev/ada0p3.eli

# mount /dev/ada0p3.eli /mnt
# mkdir /mnt/boot
# mount /dev/ada0p2 /mnt/boot
# mkdir /mnt/boot/boot

# vi /tmp/bsdinstall_etc/fstab

/dev/ada0p2     /boot   ufs     rw,noatime   1   1
/dev/ada0p3.eli /       ufs     rw,noatime   2   2

# vi /tmp/bsdinstall_boot/loader.conf

geom_eli_load="YES"
vfs.root.mountfrom="ufs:ada0p3.eli"

# exit
====================

This result in the following error when booting the system:

config: not a directory.
loader: not a directory.
gptboot: No /boot/loader on 0:ad(0p2)
kernel: not a directory.
gptboot: No /boot/kernel/kernel on 0:ad(0p2)

FreeBSD/x86 boot
Default: 0:ad(0p2)/boot/kernel/kernel
boot:

Does anyone have a suggestion on why the second method won't work?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?72aee80c9f26982088d6b2e018744c91>