There are many ways to do this, as presented on forum, but this is the simplest method I've used.
This assumes you are using UFS for your disks. I will encrypt my AsusEEE which I carry with me everywhere and holds sensitive data.
This guide will encrypt whole disk, while using another small partition to /boot system.
1. Boot installation CD/USB, go to "Live CD".
2. Destroy previous partitioning
Note: If you previously used GPT scheme on this disk, destroy it with
3. Use gpart to create partitions/bsdlabels
4. Label second partition
5. Init/attach geli
Note: speed difference between AES128 and AES256 is minimal at best, use AES256.
6. Now create bsdlabels for that second partition:
Note: YMMV.
7. newfs everything you created so far:
8. Mount your base system:
9. Install:
10. Add stuff to loader.conf:
11. And to fstab:
Note: YMMV.
12. Finally, copy boot contents to first partition you'll be booting from:
13. reboot
Additional notes:
- Remember that your /boot that gets read at boot time is sitting on separate unencrypted partition, which was the whole point of creating it. This means that every change you make on encrypted partition which holds /boot should be copied to encrypted partition (such as building a new kernel, OR adding new nvidia.ko file, etc).
You could have your separate /boot partition mounted whole time, but I prefer not to.
You could also have /boot on small USB that you can plug in at boot time and then plug out after booting is done.
Pointed out by @fonz, thank you.
- If you have separate /tmp partition, don't forget to change its permissions like so:
(or wherever is your /tmp). I figured this is a given 'housekeeping', so didn't mention it originally. Thanks for remind.
- If you get to part where geli can't mount correctly (mountfrom... error), change (in loader.conf):
to
(or wherever is your encrypted root partition).
This assumes you are using UFS for your disks. I will encrypt my AsusEEE which I carry with me everywhere and holds sensitive data.
This guide will encrypt whole disk, while using another small partition to /boot system.
1. Boot installation CD/USB, go to "Live CD".
2. Destroy previous partitioning
Code:
dd if=/dev/zero of=/dev/ada0 bs=512 count=1
Note: If you previously used GPT scheme on this disk, destroy it with
Code:
gpart destroy -F ada0
3. Use gpart to create partitions/bsdlabels
Code:
gpart create -s mbr ada0
gpart add -t freebsd -a 4k -s 768m ada0 # This is [FILE][B]/boot[/B][/FILE], enough to hold two full kernels
gpart add -t freebsd -a 4k ada0 # This will be encrypted
gpart create -s bsd ada0s1
gpart add -t freebsd-ufs -a 4k ada0s1
gpart bootcode -b /boot/mbr ada0
gpart bootcode -b /boot/boot ada0s1
gpart set -a active -i 1 ada0
4. Label second partition
Code:
glabel label -v eee /dev/ada0s2
5. Init/attach geli
Code:
geli init -b -s4096 -l256 /dev/label/eee
geli attach /dev/label/eee
6. Now create bsdlabels for that second partition:
Code:
gpart create -s bsd /dev/label/eee.eli
gpart add -t freebsd-ufs -s 768m /dev/label/eee.eli # /
gpart add -t freebsd-swap -s 512m /dev/label/eee.eli # swap
gpart add -t freebsd-ufs -s 512m /dev/label/eee.eli # /var
gpart add -t freebsd-ufs -s 512m /dev/label/eee.eli # /tmp
gpart add -t freebsd-ufs -s 10g /dev/label/eee.eli # /usr
gpart add -t freebsd-ufs /dev/label/eee.eli # /home
7. newfs everything you created so far:
Code:
newfs /dev/ada0s1a
newfs -j /dev/label/eee.elia
newfs -j /dev/label/eee.elid
newfs -j /dev/label/eee.elie
newfs -j /dev/label/eee.elif
newfs -j /dev/label/eee.elig
8. Mount your base system:
Code:
mount /dev/label/eee.elia /mnt
mkdir /mnt/var
mkdir /mnt/usr
mkdir /mnt/home
mount /dev/label/eee.elid /mnt/var
mount /dev/label/eee.elif /mnt/usr
9. Install:
Code:
sh
cd /usr/freebsd-dist
export DESTDIR=/mnt
for file in base.txz kernel.txz doc.txz src.txz
do
cat $file | tar --unlink -xpJf - -C ${DESTDIR:-/}
done
10. Add stuff to loader.conf:
Code:
echo 'geom_eli_load="YES"' > /mnt/boot/loader.conf
echo 'vfs.root.mountfrom="ufs:/dev/label/eee.elia"' >> /mnt/boot/loader.conf
11. And to fstab:
Code:
cat > /mnt/etc/fstab << __EOF__
/dev/label/eee.elia / ufs rw 1 1
/dev/label/eee.elib none swap sw 0 0
/dev/label/eee.elid /var ufs rw 2 2
/dev/label/eee.elie /tmp ufs rw,noatime,async 2 2
/dev/label/eee.elif /usr ufs rw 2 2
/dev/label/eee.elig /home ufs rw 2 2
proc /proc procfs rw 0 0
__EOF__
Note: YMMV.
12. Finally, copy boot contents to first partition you'll be booting from:
Code:
mount /dev/ada0s1a /tmp
cp -Rvp /mnt/boot /tmp/
13. reboot
Additional notes:
- Remember that your /boot that gets read at boot time is sitting on separate unencrypted partition, which was the whole point of creating it. This means that every change you make on encrypted partition which holds /boot should be copied to encrypted partition (such as building a new kernel, OR adding new nvidia.ko file, etc).
You could have your separate /boot partition mounted whole time, but I prefer not to.
You could also have /boot on small USB that you can plug in at boot time and then plug out after booting is done.
Pointed out by @fonz, thank you.
- If you have separate /tmp partition, don't forget to change its permissions like so:
# chmod 1777 /mnt/tmp
(or wherever is your /tmp). I figured this is a given 'housekeeping', so didn't mention it originally. Thanks for remind.
- If you get to part where geli can't mount correctly (mountfrom... error), change (in loader.conf):
Code:
vfs.root.mountfrom=ufs:/dev/label/eee.elia
Code:
vfs.root.mountfrom=ufs:/dev/ada0s2.elia