Installation of FreeBSD on an encrypted root filesystem.

This is a quick description of a FreeBSD installation on an AES265 encrypted root filesystem using GELI. In this example 6.2 was used. To have a complete bootable system on one harddisk, two partitions will be used. A small unecrypted boot partition with the kernel and a second partition which holds the encrypted root filesystem.

Update: This guide is rather old now, you also might want to have a look at this alternative approach for FreeBSD 8.0.

Booting from CD and preparing the partitions/slices

As sysinstall does not support encrypted volumes, you will have to do everything manually from command line. Boot the 6.2 installation CD and select "fixit→CDROM/DVD" from the menu and you will end up in a shell. First you should make sure that all data is completely erased from the target hard drive. The following command will do this quite well, if you’re paranoid enough you might want to repeat the steps a few times and also use /dev/null once in a while:

# dd if=/dev/random of=/dev/ad0 bs=1m

After that, you can create the two partitions with fdisk (see the man page how to use it). One small boot partition (~100MB) should be sufficient, the rest can be used for the second partition with the root filesystem. The man page will possibly tell you something different, but fdisk can be used interactively with the command:

# fdisk -i

Now you will have 2 partitions, ad0s1 and ad0s2. Make sure you set the first one bootable in fdisk.

Some preparations to be able to load the geom_eli kernel module:

# ln -s /dist/lib /lib

# ln -s /dist/boot/kernel /boot/modules

Load the geom_eli module:

# kldload geom_eli

ad0s2 will be the encrypted partition, we will do that with the following command:

# geli init -b -v -a aes -l 256 /dev/ad0s2

You will asked for a passphrase twice. Write it down on a yellow post-it and put it under your keyboard or your monitor so you won’t forget it. The encrypted partition can be made accessible with the command:

# geli attach /dev/ad0s2

After you have typed in your passphrase, the content of the partition will be available in decrypted form via a new device: /dev/ad0s2.eli. Now you can create slices. The editor variable is set incorrectly on the installation CD, so you have to correct it first in order to use bsdlabel:

# export EDITOR=/mnt2/usr/bin/vi

Now, you should create the slices on the partitions with bsdlabel. First, the unencrypted one:

# bsdlabel -w /dev/ad0s1

# bsdlabel -e /dev/ad0s1

You will end in a vi editor and fill the partition with one single slice, ad0s1a. See the documentation / man page of bsdlabel for further information. After that, create 2 slices (one for swap, one for the root fs) on the encrypted partition:

# bsdlabel -w /dev/ad0s2.eli

# bsdlabel -e /dev/ad0s2.eli

In this example, swap resides in /dev/ad0s2.elia, the root fs is /dev/ad0s2.elib. Format the small boot fs and the root fs:

# newfs /dev/ad0s2.elib

# newfs /dev/ad0s1a


After all the filesystems are prepared, you can finally move on to the actual installation process. First, create two mountpoints for the filesystems:

# mkdir /mnt/crypt

# mkdir /mnt/boot

Mount the filesystems:

# mount /dev/ad0s2.elib /mnt/crypt

# mount /dev/ad0s1a /mnt/boot

Set the target directory for the installation:

# export DESTDIR=/mnt/crypt

Install the base system:

# cd /dist/6.2-RELEASE/base

# ./install.sh

Install the generic kernel:

# cd /dist/6.2-RELEASE/kernels

# ./install.sh GENERIC

Rename the kernel directory tree and copy it over to the unencrypted partition:

# rmdir /mnt/crypt/boot/kernel

# mv /mnt/crypt/boot/GENERIC /mnt/crypt/boot/kernel

# cp -Rpv /mnt/crypt/boot /mnt/boot/

Make sure geom_eli is loaded at boot time:

# echo geom_eli_load=\"YES\" >> /mnt/boot/loader.conf

Prepare the fstab:

# mkdir /mnt/boot/etc

# echo "/dev/ad0s2.elib / ufs rw 1 1" >> /mnt/boot/etc/fstab

# echo "/dev/ad0s2.elia none swap sw 0 0" >> /mnt/boot/etc/fstab

# cp /mnt/boot/etc/fstab /mnt/crypt/etc/fstab

Ready! You should now be able to reboot your system from hard disk.


There seems to be a problem of kbdmux in conjunction with the GELI password prompt at boot time. You can turn kbdmux off by putting the following line in /boot/device.hints:


If you still have problems entering the passphrase, you can make it visible to see what’s actually happening. Just put the following line into /boot/loader.conf:


Some remarks on security

1.) While you may feel more secure now having your data encryped, some aspects should not be forgotten: The encryption is only effective while the system is not being booted up (e.g. the root fs is not yet mounted). Once it is up ad running, all the data is being accessible locally and remote (depending on the network services running) in the usual way.

2.) Remember that the boot partition is still unencrypted. Somebody may tinker with it while you are away, trojan your kernel, install a keylogger on it or whatever. To prevent that, I suggest to install tripwire or a similar solution and monitor all the files on the boot partition. Of course the tripwire database and configuration should be stored on the encrypted volume.

3.) Forget about that yellow post-it. That was a joke.