Installation of FreeBSD 8.0 on an encrypted root filesystem.

This is an alternative guide suitable for FreeBSD 8.0, submitted by Lighthash (lighthash at hotmail.com).

Create the ad0s1a (ad0 is my harddisk) partition using sysinstall.

  • Go to custom setup

  • Use fdisk to create 2 partitions, ad0s1, ad0s2. ad0s1 will be the unencrypted boot partition and ad0s2 will be encrypted. ad0s1 should be 300-400 MB if you compile a custom kernel. ad0s2 will be placed in the remaining free space of the disk.

  • Set the bootable flag for ad0s1

  • Go to label and create ad0s1a leaving not unused space

  • Install only the kernel from sysinstall using cdrom

  • Reboot with your cdrom and go to fixit, then execute the following commands

# dd if=/dev/random of=/dev/ad0s2 bs=1m

# ln -s /dist/lib /lib

# ln -s /dist/boot/kernel /boot/modules

# kldload geom_eli

# geli init -b -v -e aes -l 256 /dev/ad0s2

# geli attach /dev/ad0s2

# export EDITOR=/mnt2/usr/bin/vi

# bsdlabel -w /dev/ad0s2.eli

# bsdlabel -e /dev/ad0s2.eli

You will end up in the editor. This is what i did:

a: 1g      16    4.2BSD * * *  #this is the /
b: 2g      *     swap          #this is the swap
c: 1002019330 ( i dont remember what it was written here. dont touch this)
d: 4g      *     4.2BSD * * *  #this is the /var
e: 2g      *     4.2BSD * * *  #this is the /tmp
f: *       *     4.2BSD * * *  #this is the /usr  . i used * for size so it will be allocated automatically
  • Press esc and write :wq!

  • Create the filesystems:

# newfs /dev/ad0s2.elia

# newfs /dev/ad0s2.elib

# newfs /dev/ad0s2.elid

# newfs /dev/ad0s2.elie

# newfs /dev/ad0s2.elif
  • Now mount everything

# mkdir /mnt/crypt

# mkdir /mnt/boot

# mount /dev/ad0s1 /mnt/boot

# mount /dev/ad0s2.elia /mnt/crypt

# mkdir /mnt/crypt/var

# mkdir /mnt/crypt/tmp

# mkdir /mnt/crypt/usr

# mount /dev/ad0s2.elid /mnt/crypt/var

# mount /dev/ad0s2.elie /mnt/crypt/tmp

# mount /dev/ad0s2.elif /mnt/crypt/usr
  • Start the installation:

# export DESTDIR=/mnt/crypt

# cd /dist/8.0-RELEASE/base ; ./install.sh

# cd /dist/8.0-RELEASE/kernels ; ./install.sh GENERIC

Your system now is installed but it needs the finishing touch:

# rmdir /mnt/crypt/boot/kernel

# mv /mnt/crypt/boot/GENERIC /mnt/crypt/boot/kernel

# cp -Rpv /mnt/crypt/boot /mnt/boot/

# echo geom_eli_load=\"YES\" >> /mnt/boot/boot/loader.conf
  • Edit /mnt/crypt/etc/fstab

/dev/ad0s2.elia   /            ufs      rw         1    1
/dev/ad0s2.elib   none         swap     sw         0    0
/dev/ad0s2.elid   /var         ufs      rw         2    2
/dev/ad0s2.elie   /tmp         ufs      rw         2    2
/dev/ad0s2.elif   /usr         ufs      rw         2    2
/dev/acd0         /mnt/cdrom   cd9660   ro,noauto  0    0
proc              /proc        procfs   rw         0    0
# cp /mnt/crypt/etc/fstab /mnt/boot/etc/fstab
  • Reboot , remove the cdrom and wait for your bootloader in your mbr to start and select F1: FreeBSD (which is actually the unecrypted partition)

  • Enter your password of your encrypted fs and then login with root (will not ask for password so you need to set it up)

# passwd

Now you have a fully encrypted FreeBSD 8.0 system installed. =) Have fun.