HOWTO: Quick GELI encryption guide

[fonz]

I found an installer script for FreeBSD 9.0 and was wondering if it would be possible to implement the encryption part in this script?

I'm not asking for someone doing it, just wondering if it would be possible at all, for example with a preconfigured passphrase in the script.

Such a script won't be very flexible (e.g. in terms of partitioning layout), but at first glance I'm inclined to say that it should be possible. Also note that geli(8) can accept passwords stored in files (not to be confused with keyfiles), so the password entering should not be a problem in this case.

Fonz

 

[jepace]

I'm having trouble trying to follow this recipe to create an encrypted root. I'm using VirtualBox on Win 7, and booting the 9.0 Release DVD.

During step 3, after I add ada0s1 and ada0s2, when I attempt
[cmd=]gpart create -s bsd ada0s1[/cmd]
I get

gpart: geom 'ada0s1': File exists.

If I continue with the [cmd=]gpart add ...[/cmd] after this failure, I get

gpart:size '0': Invalid argument

As far as I can tell I've typed exactly what is shown. Can someone please point me in the right direction? Thanks!

 

[bbzz]

You had ada0s1 from previous configuration. Try destroying both FreeBSD and MBR scheme with
# gpart destroy -F ada0s1
# gpart destroy -F ada0s2
# gpart destroy -F ada0

 

[ryu]

I would like to use this guide again, but I need to know what I should change in it, so the system will work properly.

I found out that the problems I had were caused by this guide:

http://forums.freebsd.org/showthread.php?t=32738
http://forums.freebsd.org/showthread.php?t=32732
http://forums.freebsd.org/showthread.php?t=32727

I'm using the standard installation at the moment and don't have any of these problems.

 

[bbzz]

This guide works properly already. None of those issue you mentioned have anything to do with this guide.

 

[ryu]

Don't get me wrong, I like your guide, I just have problems when I go this way. No problems when using bsdinstall though.

You should figure out what changed the permisions on /tmp, because the settings you had were really likely to break all kinds of stuff.

It looks like that the tutorial fails to mention that /tmp needs special permissions that have to be applied after the partition for /tmp is mounted, it's easy to forget that when you have a separate partition for /tmp, I've done that mistake myself couple of times.

http://forums.freebsd.org/showthread.php?t=32738

So what exactly do I need to change to avoid this problem? Or was it not caused by this guide?

 

[kpa]

# chmod 1777 /tmp after mounting the separate partition for /tmp, needs to be done only once.

 

[vibe]

error 19

I am getting an error (after reboot) with this quide using FreeBSD 9 as guest OS with KVM ->
"mounting from ufs:/dev/label/eee.elia failed with error 19"

I did by the instructions and double checked for mistakes. Any ideas?

 

[bbzz]

For those who have "mountfrom" error, check updated additional notes.

 

[MasterOne]

While examining the procedure to perform an installation with full harddisk encryption, I stumbled over the interesting feature of geli to suspend and resume encrypted devices, which makes it ideal on a laptop/netbook when using suspend-to-RAM.

Unfortunately there seems to be catch with resume when using full harddisk encryption:

The caller must ensure that executing this subcommand won't try to access suspended device, which will lead to a deadlock. For example suspending device, which contains file system where the geli utility is stored is bad idea.

Any idea if there is any way to overcome that issue?

Maybe full harddisc encryption is not the way to go after all? But what's the safest way to protect all your data AND use geli suspend/resume on a laptop/netboot then? I mean, which filesystems to put in separate partitions for encryption to have it all covered?

Another related issue:

The suspend subcommand does not work with devices created with the onetime subcommand.

So would it be a bad idea to use onetime encryption for the swap partition in matters of using suspend-to-RAM? Which approach for encrypting swap would be the most appropriate to use then?

 

[bbzz]

But what's the safest way to protect all your data AND use geli suspend/resume on a laptop/netboot then?

There isn't one. You either encrypt the whole disk; or you encrypt something like /home partition. Decide what's more important to you, full disk encryption or a suspend/resume. Suspend/resume doesn't even work in my case.

Which approach for encrypting swap would be the most appropriate to use then?

The one in this guide. There is no onetime geli encryption for swap.