Hi all,

Suppose you wish to have most (if not all) of your partitions encrypted, including the root partition. Can this be done during installation of FreeBSD or does it have to be set up afterward?

In the latter case, what would be the recommended procedure? According to the handbook, setting up disk encryption requires the creation of a new filesystem, thus destroying a partition's current contents, which I guess would lead to cumbersome backup-and-restore trickery.

Thanks in advance,

Fonz

Have a look, http://forums.freebsd.org/showthread.php?t=184

Have a look, http://forums.freebsd.org/showthread.php?t=184

I think I'm getting some ideas now, thanks.

Fonz

it's not supported by sysinstal...
However you can install FreeBSD, compile custom kenrel and then using dump and restore make most of your drives/slice/partitions encrypted.

If you want to encrypt everything, you need to create bootable usb pen drive (very easy):
use sysinstall to create bootable partition (in sysinstall press w to write to disk), quit sysinstall.
then create image of usb pen using dd.
mounting using dd

then read this
http://daemonforums.org/showthread.php?t=1538
fallow instructions to install system to pen image....
(you only need to install base and kernel)

rewrite kernel with your custom kernel (generic ain't got geli)


umount pen image and dd it to usb pen drive
reboot (make sure your PC supports boot from usb pen drive)

do your thing....
I think i will write guide for this.
it's pretty simple

it's not supported by sysinstal...

Then again, a link in another thread about this subject pointed to a paper by Marc Schiesser. Apparently, sysinstall can be circumvented altogether:

boot the live FS
load the GELI/GBDE kernel module
partition and format the disks
extract the dist sets you need (manually, that is)
perform additional configging
done


I think I'm going to try both approaches on a test box to see which one I like better.

In fact, if I have enough spare time on my hands I might even have a go at writing a new installer that's capable of handling encryption. Sounds like a blast ;)

Anyway, thanks for your input. I'll try it out for sure.

Fonz

Then again, a link in another thread about this subject pointed to a paper by Marc Schiesser. Apparently, sysinstall can be circumvented altogether:

boot the live FS
load the GELI/GBDE kernel module
partition and format the disks
extract the dist sets you need (manually, that is)
perform additional configging
done


I think I'm going to try both approaches on a test box to see which one I like better.

In fact, if I have enough spare time on my hands I might even have a go at writing a new installer that's capable of handling encryption. Sounds like a blast ;)

Anyway, thanks for your input. I'll try it out for sure.

Fonz

LiveFS cd use generic kernel. Generic kernel (at least on CD) doesn't support geli
I just tried, to make sure, using qemu

LiveFS cd use generic kernel. Generic kernel (at least on CD) doesn't support geli
I just tried, to make sure, using qemu

Ah, that's something to look into. Perhaps things were different when that particular paper was being written.

Fonz

Ah, that's something to look into. Perhaps things were different when that particular paper was being written.

Fonz

you need to either build custom cd or usb pen drive, or another HDD

All you need to install FreeBSD on completely encrypted drive is installation media, you just have to do it manually because sysinstall doesn't support GELI yet.

GENERIC kernel is not compiled with geom_eli but you can always load it as a kernel module. Go to fixit mode and:

ln -s /dist/boot/kernel /boot/kernel
ln -s /dist/lib /lib
kldload geom_eli

Now you have GELI support and you don't need to mock about with extra drives or custom cds as long as you boot with DVD media of 7.1-RELEASE.
It is a bit more complicated with 7.0-RELEASE because fixit environment is not on installation cd (or installation files are not on livefs cd) - in this case you need to boot your system with livefs and then mount disc1.iso from external drive, or use second cdrom drive with disc1.

You can take a wee look at:
http://infosec.pl/mb/garage/freebsd_disk_encryption.html
Unfortunately it's not in English, but you should get the idea by looking at command lines.

Just an update regarding the link in my previous post, just in case somebody still needs it. The site is now available at:
http://www.nonspace.net/bsd/freebsd_disk_encryption.html