Here is a guide I made for myself to install a freebsd geli completely encrypted system. Tried with FreeBSD 7.0, 7.2, 8.0-RC1.
The USB pendrive reported here only contains keys, the /boot is on hard drive.
This howto require a computer (obviously), an usb pendrive (to store keys), and a freesbie licecd (needed for install).
At the end of this guide, you'll have a full-encrypted system with AES at 256 bit, swap with blowfish, key for root as passphrase and keys for other slices (/usr, /var...) splitted in keys in root and keys onto pendrive. So without pendrive you can't boot, either without passphrase; obviously you may change at your needs this configuration.
start computer with the cdrom; when you reach console, open it as root:
and start sysinstall
In sysinstall choose "custom install".
Options -> modify "Media Type" to point to your nearest ftp server (if you
are using dhcp, the network is already set up, if not in second console use ifconfig)
Also modify "Install Root" to "/mnt".
Partition -> allocate space for one bsd partition (retain the disk name, like
'ad10'), quit and install boot manager
(note: my sata drive is called ad10 by the kernel (you will see it in the
partitioning process) but the boot loader found it as disk1 (you read it at
the booting process))
Label -> create following slice scheme:
(the following step is necessary to fool sysinstall as he doesn't allow you
to put in slice 'a' anything else than / )
Before continuing you have to change mount points names:
/ will be /boot, and /boot will be /
The final scheme have to be like this:
(note: set size of swap, /tmp, /var and /usr at your needs. You maybe want a
separate /home. If you want one big / , set ad10s1d to be large for entire
disk minus the swap space)
Finish editing slices if you are sure that /boot is on slice 'a'.
Distribution -> select smallest system possible:
- select Custom
- select base, kernels, man
And finally commit.
Once he have done, exit sysinstall and return to the console
Mount the newly created system in the live system:
Place booting files in /mnt/mntboot/boot/ and create a link:
Make a backup of our minimal /tmp, /var and /usr:
Plug in usb pendrive for storing key, it should appear as /dev/da0
Create key-files and initiate encrypted slices for /tmp, /var and /usr
Randomize swap slice:
Edit file for correct booting process:
Populate directories:
Make a backup of the root
And encrypt it. Don't forget the passphrase you will be asked for!
Finally edit important files to correctly load system:
Edit /mnt/etc/rc.conf
Manually change /etc/rc.d/geli (change "da0" with your pendrive partition)
Reboot computer and remove freebsd cdrom.
The USB pendrive reported here only contains keys, the /boot is on hard drive.
This howto require a computer (obviously), an usb pendrive (to store keys), and a freesbie licecd (needed for install).
At the end of this guide, you'll have a full-encrypted system with AES at 256 bit, swap with blowfish, key for root as passphrase and keys for other slices (/usr, /var...) splitted in keys in root and keys onto pendrive. So without pendrive you can't boot, either without passphrase; obviously you may change at your needs this configuration.
start computer with the cdrom; when you reach console, open it as root:
# su -
and start sysinstall
# sysinstall
In sysinstall choose "custom install".
Options -> modify "Media Type" to point to your nearest ftp server (if you
are using dhcp, the network is already set up, if not in second console use ifconfig)
Also modify "Install Root" to "/mnt".
Partition -> allocate space for one bsd partition (retain the disk name, like
'ad10'), quit and install boot manager
(note: my sata drive is called ad10 by the kernel (you will see it in the
partitioning process) but the boot loader found it as disk1 (you read it at
the booting process))
Label -> create following slice scheme:
Code:
100MB / ad10s1a (ignore warning)
400MB /boot ad10s1d
1024MB swap ad10s1b
5120MB /tmp ad10s1e
5120MB /var ad10s1f
remaining /usr ad10s1g
(the following step is necessary to fool sysinstall as he doesn't allow you
to put in slice 'a' anything else than / )
Before continuing you have to change mount points names:
/ will be /boot, and /boot will be /
The final scheme have to be like this:
Code:
100MB /boot ad10s1a
400MB / ad10s1d
1024MB swap ad10s1b
5120MB /tmp ad10s1e
5120MB /var ad10s1f
remaining /usr ad10s1g
(note: set size of swap, /tmp, /var and /usr at your needs. You maybe want a
separate /home. If you want one big / , set ad10s1d to be large for entire
disk minus the swap space)
Finish editing slices if you are sure that /boot is on slice 'a'.
Distribution -> select smallest system possible:
- select Custom
- select base, kernels, man
And finally commit.
Once he have done, exit sysinstall and return to the console
Mount the newly created system in the live system:
# mount /dev/ad10s1d /mnt
Place booting files in /mnt/mntboot/boot/ and create a link:
Code:
# cd /mnt/
# rmdir boot
# mkdir mntboot
# mount /dev/ad10s1a /mnt/mntboot
# cd mntboot
# mkdir tmp
# mv * tmp
# mv tmp boot
# cd /mnt/
# ln -s mntboot/boot boot
Make a backup of our minimal /tmp, /var and /usr:
Code:
# cd /mnt
# mount /dev/ad10s1e tmp
# mount /dev/ad10s1f var
# mount /dev/ad10s1g usr
# tar cf back.tar tmp var usr
# umount /mnt/tmp /mnt/var /mnt/usr
Plug in usb pendrive for storing key, it should appear as /dev/da0
Code:
# mkdir /mnt/etc/geli
# newfs_msdos -F32 /dev/da0
# mount_msdosfs /dev/da0 /mnt/mnt
Create key-files and initiate encrypted slices for /tmp, /var and /usr
Code:
# dd if=/dev/random of=/mnt/etc/geli/TAYGETA_tmp.key1 bs=64 count=1
# dd if=/dev/random of=/mnt/mnt/TAYGETA_tmp.key2 bs=64 count=1
# dd if=/dev/random of=/dev/ad10s1e bs=1m
# cat /mnt/etc/geli/TAYGETA_tmp.key1 /mnt/mnt/TAYGETA_tmp.key2 | \
geli init -e AES -l 128 -s 4096 -P -K - /dev/ad10s1e
# cat /mnt/etc/geli/TAYGETA_tmp.key1 /mnt/mnt/TAYGETA_tmp.key2 | \
geli attach -p -k - /dev/ad10s1e
# newfs -O2 -U /dev/ad10s1e.eli
# mount /dev/ad10s1e.eli /mnt/tmp
# dd if=/dev/random of=/mnt/etc/geli/TAYGETA_var.key1 bs=64 count=1
# dd if=/dev/random of=/mnt/mnt/TAYGETA_var.key2 bs=64 count=1
# dd if=/dev/random of=/dev/ad10s1f bs=1m
# cat /mnt/etc/geli/TAYGETA_var.key1 /mnt/mnt/TAYGETA_var.key2 | \
geli init -e AES -l 128 -s 4096 -P -K - /dev/ad10s1f
# cat /mnt/etc/geli/TAYGETA_var.key1 /mnt/mnt/TAYGETA_var.key2 | \
geli attach -p -k - /dev/ad10s1f
# newfs -O2 -U /dev/ad10s1f.eli
# mount /dev/ad10s1f.eli /mnt/var
# dd if=/dev/random of=/mnt/etc/geli/TAYGETA_usr.key1 bs=64 count=1
# dd if=/dev/random of=/mnt/mnt/TAYGETA_usr.key2 bs=64 count=1
# dd if=/dev/random of=/dev/ad10s1g bs=1m
# cat /mnt/etc/geli/TAYGETA_usr.key1 /mnt/mnt/TAYGETA_usr.key2 | \
geli init -e AES -l 128 -s 4096 -P -K - /dev/ad10s1g
# cat /mnt/etc/geli/TAYGETA_usr.key1 /mnt/mnt/TAYGETA_usr.key2 | \
geli attach -p -k - /dev/ad10s1g
# newfs -O2 -U /dev/ad10s1g.eli
# mount /dev/ad10s1g.eli /mnt/usr
Randomize swap slice:
# dd if=/dev/random of=/dev/ad10s1b bs=1m
Edit file for correct booting process:
Code:
# ee /mnt/boot/loader.conf
currdev="disk1s1a" # current slice containing /boot
rootdev="disk1s1d" # slice containing / in a way that loader understand
vfs.root.mountfrom="ufs:ad10s1d.eli" # slice containing / in a way that
kernel understand
geom_eli_load="YES"
Populate directories:
Code:
# cd /mnt
# tar xf back.tar
# rm back.tar
# umount /mnt/tmp /mnt/var /mnt/usr /mnt/mnt /mnt/mntboot
Make a backup of the root
Code:
# cd /mnt
# mount /dev/ad10s1e.eli /mnt2
# tar cf /mnt2/back.tar *
And encrypt it. Don't forget the passphrase you will be asked for!
Code:
# cd /
# umount /mnt
# geli init -e AES -l 128 -s 4096 -b /dev/ad10s1d
# geli attach /dev/ad10s1d
# newfs -O2 -U /dev/ad10s1d.eli
# mount /dev/ad10s1d.eli /mnt
# cd /mnt
# tar xf /mnt2/back.tar
# rm /mnt2/back.tar
# umount /mnt2
Finally edit important files to correctly load system:
Code:
# ee /mnt/etc/fstab
/dev/ad10s1a /mntboot ufs ro 1 1
/dev/ad10s1b.eli none swap sw 0 0
/dev/ad10s1d.eli / ufs rw 1 1
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
/dev/ad10s1e.eli /tmp ufs rw 1 1
/dev/ad10s1f.eli /var ufs rw 1 1
/dev/ad10s1g.eli /usr ufs rw 1 1
Edit /mnt/etc/rc.conf
Code:
# ee /mnt/etc/rc.conf
[add the following line]
geli_swap_flags="-e Blowfish -l 256 -d"
Manually change /etc/rc.d/geli (change "da0" with your pendrive partition)
Code:
# ee /mnt/etc/rc.d/geli
[in "geli_start()" add before "for provider in ${devices}"]
while(true); do
/sbin/mount_msdosfs /dev/da0 /mnt > /dev/null
if [ $? -eq 0 ]; then
break;
fi
echo "Pendrive missing!"
sleep 3;
done
echo "Pendrive found, initializing slices."
/bin/cat /etc/geli/TAYGETA_tmp.key1 /mnt/TAYGETA_tmp.key2 | \
/sbin/geli attach -p -k - /dev/ad10s1e
/bin/cat /etc/geli/TAYGETA_var.key1 /mnt/TAYGETA_var.key2 | \
/sbin/geli attach -p -k - /dev/ad10s1f
/bin/cat /etc/geli/TAYGETA_usr.key1 /mnt/TAYGETA_usr.key2 | \
/sbin/geli attach -p -k - /dev/ad10s1g
/sbin/umount /dev/da0 /mnt
[and comment out the rest of geli_start() function]
Code:
# umount /mnt
# exit
Reboot computer and remove freebsd cdrom.