From owner-freebsd-questions@FreeBSD.ORG Tue Jan 18 23:28:33 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CB77106566C for ; Tue, 18 Jan 2011 23:28:33 +0000 (UTC) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Received: from tensor.gdynia.pl (tensor.gdynia.pl [89.206.35.72]) by mx1.freebsd.org (Postfix) with ESMTP id B19F58FC15 for ; Tue, 18 Jan 2011 23:28:32 +0000 (UTC) Received: Received: from 127.0.0.1 (localhost [127.0.0.1]) by tensor.gdynia.pl (8.14.4/8.14.4) with ESMTP id p0INSPDj093430 for ; Wed, 19 Jan 2011 00:28:27 +0100 (CET) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Received: from wojtek.tensor.gdynia.pl (localhost [127.0.0.1]) by wojtek.tensor.gdynia.pl (8.14.4/8.14.4) with ESMTP id p0ILt2A7001230 for ; Tue, 18 Jan 2011 22:57:02 +0100 (CET) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Received: from localhost (wojtek@localhost) by wojtek.tensor.gdynia.pl (8.14.4/8.14.4/Submit) with ESMTP id p0ILt2A3001227 for ; Tue, 18 Jan 2011 22:55:02 +0100 (CET) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Date: Tue, 18 Jan 2011 22:55:02 +0100 (CET) From: User Wojtek To: freebsd-questions@freebsd.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: harddrive encryption X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2011 23:28:33 -0000 no at installation if you use standard installer. as i don't use standard installer at all, i don't have such a problem. i use any bootable FreeBSD media (actualy my own made pendrive), and then make labels, do newfs, mount, unpack files etc. if you can't do that then you may follow my advice install as usual, but make partitions like a: root - 10-20GB b: swap - as you need d: rest - don't allow to directory install on a and b. then after booting your system, and building and installing your kernel with GEOM_ELI inside: geli init -s 2048 (or 4096 whatever fragment size you plan) /dev/ad0d (or ada0d or how is your disk named). geli attach /dev/ad0d newfs /dev/ad0d.eli mount /dev/ad0d.eli /mnt cd /mnt tar --exclude /usr -cf - /|tar xpf - so you have copied all data except /usr to /mnt then edit /mnt/etc/fstab make ad0d.eli as root and ad0a as /usr then edit /mnt/boot/loader.conf add vfs.root.mountfrom="ad0d.eli" then reboot to single user mode after booting /sbin/mount /usr - should mount fine cd /usr ls and delete with rm -rf everything except usr subdirectory then mv usr/* . rm -rf usr cd / rm -rf boot ln -s /usr/boot . then press CTRL-D and you have your encrypted system up. You don't have /usr encrypted as your software packages are not secred data. /usr is a: partition so bootloader boots from here. /usr/boot is linked to /boot to make it accessible for system programs as usual. but your /usr/local/etc may be secred so cd /usr/local mv etc /etc/local ln -s /etc/local etc this is how i configure my system everywhere i use geli.