Hello, I have some trouble getting an encrypted root ufs to work properly.
I install the (efi) boot partition on a usb-stick (/dev/da5), with both a keyfile, and a passphrase. The (root) partition is /dev/ad0p1, the swap /dev/ad0p2.
After that, because I use the vSphere hypervisor with FreeBSD 11.0/x64 as a guest, I have to convert the usb-stick into a bootable iso-file, vSphere does not allow me to boot from usb.
I got a lot of information from someone, who posted a howto on a site, which I will not mention, because of the FreeBSD Forum rules.
During installation I enter my passphrase, when I enter exactly the same passphrase when booting from the iso file, FreeBSD tells me it's not correct.
During installation, I start a shell at partitioning time, and enter the following commands:
Here I enter the passphrase twice.
Here I enter the passphrase once, and it's accepted.
Edit the file: /tmp/bsdinstall_etc/fstab
Edit the file: /tmp/bsdinstall_boot/loader.conf
From here I complete the installation, pull out the usb-stick, connect it to another freebsd box, and make a bootable efi iso this way:
Mount the usb-stick to /mnt
after booting from this iso, at some time it asks me for my passphrase, I enter
exactly the same passphrase, but it simply does not work.
I hope someone sees the problem, and I don't cause people a headache!
I install the (efi) boot partition on a usb-stick (/dev/da5), with both a keyfile, and a passphrase. The (root) partition is /dev/ad0p1, the swap /dev/ad0p2.
After that, because I use the vSphere hypervisor with FreeBSD 11.0/x64 as a guest, I have to convert the usb-stick into a bootable iso-file, vSphere does not allow me to boot from usb.
I got a lot of information from someone, who posted a howto on a site, which I will not mention, because of the FreeBSD Forum rules.
During installation I enter my passphrase, when I enter exactly the same passphrase when booting from the iso file, FreeBSD tells me it's not correct.
During installation, I start a shell at partitioning time, and enter the following commands:
Code:
gpart destroy -F da5
gpart destroy -F da0
gpart create -s gpt da5
gpart add -t freebsd-boot -s 512k -a 4k da5
gpart add -t freebsd-ufs -l boot -s 900M -a 1M da5
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da5
gpart create -s gpt da0
gpart add -t freebsd-ufs -l root -b 1M -s 23G da0
gpart show da0
gpart add -t freebsd-swap -l swap -s 8GB da0
dd if=/dev/random of=/tmp/da0.key bs=64 count=1
geli init -b -e AES-XTS -l 256 -K /tmp/da0.key -i 1 -s 4096 da0p1
Code:
geli attach -k /tmp/da0.key da0p1
Code:
newfs -U /dev/da5p2
newfs -U /dev/da0p1.eli
mount /dev/da0p1.eli /mnt
mkdir /mnt/unenc
mount /dev/da5p2 /mnt/unenc
mkdir /mnt/unenc/metadata_restore_files
cp /var/backups/da0p1.eli /mnt/unenc/metadata_restore_files/
cp /tmp/da0.key /mnt/unenc/
mkdir /mnt/unenc/boot
ln -s unenc/boot /mnt/boot
Code:
/dev/da0p1.eli / ufs rw 1 1
/dev/da0p2.eli none swap sw 0 0
Code:
geom_eli_load="YES"
vfs.root.mountfrom="ufs:da0p1.eli"
Code:
exit
Code:
cd ~
mkdir usbtoiso
Code:
cp -aR /mnt/* usbtoiso
dd if=/dev/zero of=efiboot.img bs=4k count=150
mdconfig -a -t vnode -f efiboot.img
newfs_msdos -F 12 -m 0xf8 /dev/md0
mount -t msdosfs /dev/md0 /mnt
mkdir -p /mnt/efi/boot
cp ~/usbtoiso/boot/loader.efi /mnt/efi/boot/bootx64.efi
umount /mnt
mdconfig -d -u 0
makefs -t cd9660 -o bootimage='i386;efiboot.img' -o no-emul-boot -o rockridge -o label="Cryptoboot" -o publisher="Crypt" crypt-o-boot.iso usbtoisoexactly the same passphrase, but it simply does not work.
I hope someone sees the problem, and I don't cause people a headache!
)