Warning: the following howto will wipe your disk and delete all data on it! Be safe. Make backups first. Or use VirtualBox to test it first!
I've found a nice howto on how to install FreeBSD with full disk encryption on ZFS. This could a good choice for laptops where security is important. The ZFS on top of ELI makes the filesystem resilient against crashes (power cut or whatever), and it gives you a range of nice options to use! No more fsck after a ungraceful shutdown. Snapshots. To name a few.
The basis steps are:
** From sysinstall, follow your basic FreeBSD installation scenario, making these slices:
** Install a minimal FreeBSD, enough to get you going (it will have to fit on your 2GB /). After installation completes, eject CDROM/DVD, and reboot from hard disk.
** Once booted, free up your ad0s1b, and copy the current root partition (ad0s1a) on to it
** Now edit your /mnt/etc/fstab, and set your ad0s1b entry so that it is your root:
Before:
After:
** Comment out all other entries.
** Now reboot again. At the bootloader, press space, and boot from the b-slice by entering:
Your system should boot normally. When you login, type 'mount' to verify that you are now booted and running from ad0s1b in stead of ad0s1a.
Now we can start the ELI/ZFS configuration on the largest part of the disk (ad0s1d).
(you will be asked to enter a passphrase twice)
The -b causes eli to ask for the passphrase upon boot, when the kernel module is loaded by /boot/loader.conf.
(enter same passphrase)
We should now have a crypted ad0s1d.eli available (try 'geli list'). From this disk we create a ZFS pool:
** Now we create /boot on the ZFS pool, which be on ad0s1a:
The last line is only needed to make 'installkernel' behave normally, but it might be broken. See "fixing /boot" later on to fix this.
** Edit /tank/boot/loader.conf to contain the following:
(note that this file is actually on ad0s1a!)
** Create /tank/bootdir/etc/fstab so the kernel knows what fs to mount the root from:
It should contain:
** Now create your actual fstab (/tank/etc/fstab):
You can use the ad0s1b later on to create swap again, or even encrypted swap (better of course).
** Now tell ZFS to prevent from re-mounting tank as it will be used for the root filesystem:
You can ignore the busy error message.
That's it. Reboot, and your done.
Fixing /boot:
I haven't figured this out yet, but as said your kernel (/boot) comes from ufs:ad0s1a. This means that once your booted, /boot should actually point to ad0s1a somehow, or kernel updates will never work.
To do this, I did, once booted, assuming ad0s1a is mounted in /bootdir:
Now you should be able to run freebsd-update and such, or even make world/kernel.
Just always check that /boot/loader.conf (so actually that it ufs:ad0s1a/boot/loader.conf) is there and that eli and zfs are loaded there, otherwise you will not be able to boot.
I've found a nice howto on how to install FreeBSD with full disk encryption on ZFS. This could a good choice for laptops where security is important. The ZFS on top of ELI makes the filesystem resilient against crashes (power cut or whatever), and it gives you a range of nice options to use! No more fsck after a ungraceful shutdown. Snapshots. To name a few.
The basis steps are:
** From sysinstall, follow your basic FreeBSD installation scenario, making these slices:
Code:
ad0s1a / (2GB)
ad0s1b swap (2GB)
ad0s1d /space (the rest)
** Install a minimal FreeBSD, enough to get you going (it will have to fit on your 2GB /). After installation completes, eject CDROM/DVD, and reboot from hard disk.
** Once booted, free up your ad0s1b, and copy the current root partition (ad0s1a) on to it
Code:
# swapoff -a
# newfs /dev/ad0s1b
# mount /dev/ad0s1b /mnt
# cd /
# tar cf - --one-file-system * | tar xpf - -C /mnt
** Now edit your /mnt/etc/fstab, and set your ad0s1b entry so that it is your root:
Before:
Code:
/dev/ad0s1b none swap sw 0 0
After:
Code:
/dev/ad0s1b / ufs rw 1 1
** Comment out all other entries.
** Now reboot again. At the bootloader, press space, and boot from the b-slice by entering:
Code:
0:ad(0,b)/boot/loader
Your system should boot normally. When you login, type 'mount' to verify that you are now booted and running from ad0s1b in stead of ad0s1a.
Now we can start the ELI/ZFS configuration on the largest part of the disk (ad0s1d).
Code:
# geli init -b -v -s 4096 /dev/ad0s1d
The -b causes eli to ask for the passphrase upon boot, when the kernel module is loaded by /boot/loader.conf.
Code:
# geli attach ad0s1d
We should now have a crypted ad0s1d.eli available (try 'geli list'). From this disk we create a ZFS pool:
Code:
# zpool create tank ad0s1d.eli
** Now we create /boot on the ZFS pool, which be on ad0s1a:
Code:
# newfs /dev/ad0s1a
# mkdir /tank/bootdir
# mount /dev/ad0s1a /tank/bootdir
# cp -Rp /boot /tank/bootdir/
# ln -sf /tank/bootdir/boot /tank/boot
The last line is only needed to make 'installkernel' behave normally, but it might be broken. See "fixing /boot" later on to fix this.
** Edit /tank/boot/loader.conf to contain the following:
Code:
zfs_load="YES"
geom_eli_load="YES"
hint.kbdmux.0.disabled=1
(note that this file is actually on ad0s1a!)
** Create /tank/bootdir/etc/fstab so the kernel knows what fs to mount the root from:
Code:
# mkdir /tank/bootdir/etc
# vi /tank/bootdir/etc/fstab
It should contain:
Code:
tank / zfs rw 0 0
** Now create your actual fstab (/tank/etc/fstab):
Code:
tank / zfs rw 0 0
/dev/ad0s1a /bootdir ufs rw 1 1
You can use the ad0s1b later on to create swap again, or even encrypted swap (better of course).
** Now tell ZFS to prevent from re-mounting tank as it will be used for the root filesystem:
Code:
zfs set mountpoint=legacy tank
You can ignore the busy error message.
That's it. Reboot, and your done.
Fixing /boot:
I haven't figured this out yet, but as said your kernel (/boot) comes from ufs:ad0s1a. This means that once your booted, /boot should actually point to ad0s1a somehow, or kernel updates will never work.
To do this, I did, once booted, assuming ad0s1a is mounted in /bootdir:
Code:
cd /
rm -rf boot (you now remove the boot from the zfs pool that is never used anyway)
ln -s bootdir/boot .
Now you should be able to run freebsd-update and such, or even make world/kernel.
Just always check that /boot/loader.conf (so actually that it ufs:ad0s1a/boot/loader.conf) is there and that eli and zfs are loaded there, otherwise you will not be able to boot.