1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HOWTO : full disk encryption, fast way

Discussion in 'Howtos and FAQs (Moderated)' started by Zare, Nov 5, 2010.

  1. Zare

    Zare New Member

    Messages:
    386
    Likes Received:
    0
    ...using sysinstall, and no swap, but you can configure that later on your own. Target disk is ad0, and we'll use complete drive for FreeBSD install.

    Installation

    Boot FreeBSD install from your favourite medium. Allocate whole disk for FreeBSD slice. Inside that slice, allocate 400MB UFS partition with root mount point (/). Allocate the rest of the slice as /mnt mount point. Proceed with installation, install only base system and kernel, and don't configure anything except root password. Boot and login as root into your new install

    Preparation of GELI device

    Right now, the future-to-be root filesystem is unencrypted, empty UFS filesystem. It wasn't necessary to create the filesystem itself, but it's the fastest way so you don't need to label stuff manually outside first installation step. Unmount it;

    Code:
    #umount /mnt
    
    For the sake of example, small root filesystem is ad0s1a, and empty future root is ad0s1d.
    Create the GELI keyfile;

    Code:
    #dd if=/dev/random of=/boot/key bs=64 count=1
    
    Now we initialize GELI encrypted partition with that key, using default encryption algorithm;

    Code:
    #geli init -b -s 4096 -K /boot/key /dev/ad0s1d
    
    Type your passpharse twice.
    Let's attach the partition to the system;

    Code:
    #geli attach -k /boot/key /dev/ad0s1d
    
    Type your passpharse. GELI will create the /dev/ad0s1d.eli block device, which you can access now.
    Let's create the filesystem.

    Code:
    #newfs /dev/ad0s1d.eli
    
    So now, we have a UFS filesystem contained inside GELI encrypted partition. This partition will be our encrypted root.

    Installation of root filesystem

    We'll just copy all relevant files from small root to new root partition. The small root will become the "boot" partition, containing only kernel, and GELI keyfile for root mounting. Let's first mount the new root somewhere;

    Code:
    #mount /dev/ad0s1d.eli /mnt
    
    Now we copy the files,

    Code:
    #cp -p * /mnt
    #cp -Rvp .snap /mnt
    #cp -Rvp bin /mnt
    #cp -Rvp dev /mnt
    .
    .
    .
    
    Repeat the recursive directory copy for every subdirectory of root, except boot directory and the mnt directory. Since we'll mount this directory as root directory on next boot, we'll lose access to the original root filesystem which contains the kernel. We'll do a trick around that;

    Code:
    #cd /mnt
    #mkdir mnt
    #mkdir mnt/boot
    #mount /dev/ad0s1a mnt/boot
    
    Edit /mnt/etc/fstab to reflect new configuration;

    Code:
    # Device                Mountpoint      FStype  Options         Dump    Pass#
    /dev/ad0s1d.eli         /               ufs     rw              1       1
    /dev/ad0s1a             /mnt/boot       ufs     rw              2       2
    
    ...and symlink the mounpoint to /boot, so we have the original entry.

    Code:
    #ln -s /mnt/boot/boot /mnt/boot
    
    Enable GELI root mounting

    What's left is to tell kernel that it needs to load GELI, and tell GELI about the encrypted partition and keyfile, so it can ask you for passpharse and create /dev access node, and again tell kernel to mount root from that block device. So we edit the /boot/loader.conf, to contain this;

    Code:
    geom_eli_load="YES"
    geli_ad0s1d_keyfile0_load="YES"
    geli_ad0s1d_keyfile0_type="ad0s1d:geli_keyfile0"
    geli_ad0s1d_keyfile0_name="/boot/key"
    vfs.root.mountfrom="ufs:ad0s1d.eli"
    
    And it's done. Reboot, you'll be asked for a passpharse, and you'll land in encrypted root filesystem.
    Afterwards, you can access the original small root partition at /mnt/boot, and wipe everything except the boot (/mnt/boot/boot) subdirectory.
     
  2. gryzor

    gryzor New Member

    Messages:
    2
    Likes Received:
    0
    A couple of comments

    TY for this guide, works great overall.
    I have a few fixes to add though, with 8.1 (on a AMD64 system, if this matters).
    * an initial / of 400Mb was not sufficient for me. 500M was fine (this is probably because amd64 binaries are bigger than 32?)
    * warning to non-US keyboard users : DO NOT set a passphrase with accents or special characters that the US keyboard cannot address. The keymap is loaded AFTER you have to enter your passphrase at boottime.
    * The "/mnt/mnt/boot/boot" symlink seems to be wrong. "/mnt/boot/boot" was better for me
     
  3. Zare

    Zare New Member

    Messages:
    386
    Likes Received:
    0
    Thx gryzor, fixed that symlink. Better late than never :)
    Btw, does your nickname have anything to do with old game named Contra?
     
  4. Crivens

    Crivens Member

    Messages:
    828
    Likes Received:
    2
    You can compile a keymap into the kernel when you do not want the US map. Then it works great. But that adds another step in the process which would be to build a kernel. One can do that on another machine and set up the disk with f.e. an USB adapter.
     
  5. grigorovl

    grigorovl New Member

    Messages:
    58
    Likes Received:
    0
    Great guide, I was able to get it working in 9.0-RC3 AMD64 with some tweaks. Here are some notes regarding things that didn't work out for me / I had to change:

    * I couldn't get a bootable partition unless I added the 64KB type "freebsd-boot" in the new 9.0 installer. So I end up with 64KB boot, 1GB temp small root and REST to geli root.
    * I had to use 1GB for small root, or it ran out of space during install (only base and kernel).
    * This didn't work as the partition was in use, so I just skipped. After reboot /etc/fstab picked it up just fine.
    Code:
    #mount /dev/ad0s1a mnt/boot
    * After reboot, I was unable to remove some directories from the small root. They had files inside which couldn't be removed, even in Single User Mode. Error is "Operation not permitted." I just left those folders and files be, after all, small root in only used for boot.
     
  6. ryu

    ryu New Member

    Messages:
    32
    Likes Received:
    0
    I have the same problem.
    Code:
    #mount /dev/ad0s1a mnt/boot
    There is always this error:
    Code:
    Device is busy
    I guess this tutorial doesn't work for FreeBSD 9.0-RELEASE.
     
  7. bbzz

    bbzz New Member

    Messages:
    867
    Likes Received:
    0