Setting Up FreeBSD with Encrypted Root - in 45.5 easy steps

1) Install FreeBSD from the CD
   Initially, set up the partitions like this (for example):
   ad4s1a / 256M
   ad4s1b swap 4G
   ad4s1d /new-root 2G
   ad4s1e /new-tmp 2G
   ad4s1f /new-var 2G
   ad4s1g /new-usr *

   Do a minimal install. Only the / patition will get data at this point.

2) Boot into your new install.
3) Edit boot/loader.conf so that it includes geom_eli_load="YES"
4) umount /new-root
5) geli init -b -l 256 /dev/ad4s1d
6) geli attach /dev/ad4s1d
7) newfs -L root /dev/ad4s1d.eli
8) Change /etc/fstab entry /dev/ad4s1d to /dev/ad4s1d.eli
9) mount /new-root
10) dd if=/dev/random of=/new-root/ad4s1e.key bs=512 count=1
11) dd if=/dev/random of=/new-root/ad4s1f.key bs=512 count=1
12) dd if=/dev/random of=/new-root/ad4s1g.key bs=512 count=1
13) swapoff -a
14) geli onetime -l 256 -s 4096 /dev/ad4s1b
15) Change /etc/fstab entry /dev/ad4s1b to /dev/ad4s1b.eli
15.5) swapon -a
16) umount /new-tmp
17) umount /new-var
18) umount /new-usr
19) geli init -K /new-root/ad4s1e.key -l 256 -P /dev/ad4s1e
20) geli init -K /new-root/ad4s1f.key -l 256 -P /dev/ad4s1f
21) geli init -K /new-root/ad4s1g.key -l 256 -P /dev/ad4s1g
22) geli attach -k /new-root/ad4s1e.key -p /dev/ad4s1e
23) geli attach -k /new-root/ad4s1f.key -p /dev/ad4s1f
24) geli attach -k /new-root/ad4s1g.key -p /dev/ad4s1g
25) newfs -L tmp /dev/ad4s1e.eli
26) newfs -L var /dev/ad4s1f.eli
27) newfs -L usr /dev/ad4s1g.eli
28) cd /new-root
29) mkdir tmp
30) mkdir var
31) mkdir usr
32) mount /dev/ad4s1e.eli tmp/
33) mount /dev/ad4s1f.eli var/
34) mount /dev/ad4s1g.eli usr/
35) mount /cdrom
36) cd /cdrom/6.2-RELEASE/base
37) cat base.?? | tar --unlink -xpzf - -C /new-root/
38) mkdir /new-root/mnt/boot
39) cp /etc/fstab /new-root/etc/fstab
40) vi /new-root/etc/fstab
    /dev/ad4s1a /mnt/boot
    /dev/ad4s1e.eli /
    /dev/ad4s1d.eli /tmp
    /dev/ad4s1g.eli /usr
    /dev/ad4s1f.eli /var
41) vi /new-root/etc/rc.conf
    geli_devices="ad4s1e ad4s1f ad4s1g"
    geli_ad4s1e_flags="-p -k /ad4s1e.key"
    geli_ad4s1f_flags="-p -k /ad4s1f.key"
    geli_ad4s1g_flags="-p -k /ad4s1g.key"
42) vi /etc/fstab
    The only entry should be root on ad4s1d.eli:
    /dev/ad4s1d.eli / ufs rw 1 1
43) reboot (you may need to to eject cd)
44) Clean up /mnt/boot (you only really need /mnt/boot/boot/* and /mnt/boot/etc/fstab now
45) Use sysinstall to install whatever other distribution sets you like.

FreeBsdGeliRoot (last edited 2007-05-02 05:29:39 by LukeMacpherson)