Help installing FreeBSD on a Geli encrypted partition

[wolfspam]

What

What I'm trying to do is to run FreeBSD STABLE on a encrypted Geli partition, while having a different installed version on a clear partition. Is this possible without messing up either install?

How

I used to have a similar setup with windows 8 installed on the computer, with it's own boot loader and everything, and FreeBSD 9.0 installed on a single Geli encrypted partition with /boot/ on a usb stick. It worked seamlessly, with windows booting normally and not recognizing the FreeBSD partition, and when booting from the usb, FreeBSD booting and mounting the encrypted root partition.

I tried to replicate the setup when I got rid of windows, with a FreeBSD installation with a ZFS root along side the installation on the Geli encrypted partition, each with their separate boot loaders and /boot/ folders. The actual disk setup is:

ada0p1: disk boot partition installed with
[CMD="#"]gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0[/CMD]

ada0p2: encrypted swap partition
ada0p3: freebsd-zfs partition with base system
ada0p4: Geli encrypted partition

ada0p4.elia: UFS root slice
ada0p4.elib: swap slice
ada0p4.eli[d-f]: UFS slices

I thought it should work the same way it worked before, but I ran into a couple of errors.
When I boot the clear install from the hdd it asks for ada0p4's password to mount the root partition, despite having set otherwise on the /boot/loader.conf file. I thought it was due to the -b flag on the command# geli init -b -l 256 -s 4096 /dev/ada0p4
Still, running the geli init command without the -b flag yielded the same result, even after destroying the partition and Geli metadata, which was odd. On the other hand wouldn't not having the -b flag break the encrypted root install?

Am I missing some feature of Geli or the boot loader?

Why

On the very possible question of why I'm doing this, it's because I currently have only one PC, a notebook with a single hard drive and like to have a clean system for work with sensitive data to avoid any leaks during normal use or unauthorized access if the PC ever gets stolen.

Currently, I'm accessing the information on a encrypted (non-bootable) storage from the system installed on the clear partitions, but I'm still worried some third party programs (word processors, browsers etc) as well as the OS will leak information or store sensitive data/metadata on the clear.

As to why I don't just run everything on a encrypted system, it's because the processor lacks the AES instruction set and the pc gets quite sluggish for normal use.

With these reasons in mind, am I going about this in the wrong way?
Should I be using jails and other security measures instead of running an entire autonomous installation?

Any help, advice, how-to, relevant section in the manuals will be greatly appreciated.

 

[wblock@]

bbzz has a good guide in this thread: Thread 29652. I've used it.

Er... skip the first part about erasing the existing partitioning if there is stuff you want to keep on the drive.

As far as encrypted versus unencrypted, sure. It's just a (sigh) multi-boot setup.

 

[wolfspam]

Thanks wblock, I did see this guide while researching encrypted installations, but have instead followed (for the most part) another guide on http://events.ccc.de/.../586-paper_Complete_Hard_Disk_Encryption.pdf as suggested elsewhere in the forums.

Most of the steps I took are the same with a few irrelevant differences, like I manually run
# tar Jxpf /usr/freebsd-dist/base.txz
# tar Jxpf /usr/freebsd-dist/kernel.txz from the mounted partition for the installation step.

And one relevant difference, the boot partition is in a usb flash drive.

As far as encrypted versus unencrypted, sure. It's just a (sigh) multi-boot setup.

I don't understand why the multi-boot part warranted a sigh. Specially since it seems to be causing the problem. If you think it's stupid or unnecessary to multi-boot instead of using a different approach to secure my data, please say so. I am very interested in any reason not to, as evidenced by this

Should I be using jails and other security measures instead of running an entire autonomous installation?

I can get (and have gotten) a fully encrypted FreeBSD install running on this PC, even a multi-boot one, although the other OS was Windows 8, not FreeBSD. The problem is that with two FreeBSD installs, one is interfering with the other. The clear one detects the bootable Geli partition and tries to mount it in the second boot stage (mountroot), and it seems the encrypted one likes to fallback onto the clear one's boot loader (although I suspect it may be because of a hardware failure in the usb stick).

 

[kpa]

I don't understand why the multi-boot part warranted a sigh. Specially since it seems to be causing the problem. If you think it's stupid or unnecessary to multi-boot instead of using a different approach to secure my data, please say so. I am very interested in any reason not to, as evidenced by this

Do you want to reboot your computer every time you want to use the other OS? Well, there's a better option and that's called virtualization.

Since you have windows 8 on the machine you could try VirtualBox and install FreeBSD on a virtual machine, depending on your needs it might be a better solution than multi-boot.

http://www.virtualbox.org/

 

[wblock@]

I don't understand why the multi-boot part warranted a sigh. Specially since it seems to be causing the problem. If you think it's stupid or unnecessary to multi-boot instead of using a different approach to secure my data, please say so. I am very interested in any reason not to, as evidenced by this.

It's not you, or what you are trying to do. Sometimes the only practical solution is multi-boot.

But in most cases, VMs are much safer, and quicker and easier to set up. Multiple VMs run at the same time, along with the host. Hard drive space isn't tied up in other partitions. Each VM gets its own virtual drive, so there are no fights with complicated partitioning systems. VMs can be moved from machine to machine. If the host is a notebook, it can run all the Windows-only drivers, power saving features, and ACPI. The only real disadvantage is that host RAM is shared with the VMs when they are running.

My frustration is that multi-boot is used in many cases where VMs would be easier to set up and work better.

 

[wolfspam]

I understand I tend to be a bit verbose, but that's only because I don't want to give the wrong impression of what I'm asking. Understandably it seems it had the opposite effect though (tl;dr).

Do you want to reboot your computer every time you want to use the other OS? Well, there's a better option and that's called virtualization.

Since you have windows 8 on the machine you could try VirtualBox and install FreeBSD on a virtual machine, depending on your needs it might be a better solution than multi-boot.

I don't have Windows 8 installed on my computer, nor do I want or need it. I do have FreeBSD installed, it's my only installed OS and it's not encrypted. It's not encrypted because the computer gets a bit sluggish with full encryption and that's not optimal for day to day work. I would like to use an encrypted installation for work with sensitive data though. Unfortunately, I'm limited to one computer and one hard drive.

Also, I don't want to reboot my computer every time I need to work on sensitive data, but I don't mind, since I'm working and not doing anything else that warrants going back and forth. It's just the only solution I found to my predicament.

If the host is a notebook, it can run all the Windows-only drivers, power saving features, and ACPI.

I understand virtualization is a good alternative for multi-boot, and that I can use all the nifty windows stuff with it. I don't want any of it though, on the contrary, I want to run a more secure system to work with sensitive data. Perhaps I should have omitted the part about the setup once working along side windows as it seems to have captured the attention of the readers a lot more than the title of the thread or the "What" section of the original post. Let me be clear then:

I want nothing to do with windows.

I don't know why, but I always sense a bit of hostility when dealing with the community, even though you all seemed so nice dealing with other users. Even the ones that clearly haven't even tried or are just baiting for Linux vs. FreeBSD flame wars. Not that I'm not grateful for the replies, since they did give me a bit of insight.



On different note, this talk of virtual machines gave me an idea I don't think would've come to me otherwise: installing a VM on a encrypted container. See, even in the most contingent of ways, elaborating your point is helpful.

I don't know how safe it would be or how I can make it happen, but it warrants a little investigating. The VM would in fact be more convenient to launch, manage and backup.

Perhaps I need to start a different thread, or research a little bit first, but I'm intrigued as how it would work. I don't yet understand how emulators/virtualbox-ose treats guest OS data though, if I need to isolate it in a jail or even if can isolate it as it seems part of it runs in kernel space (compiles and loads a specific kernel module).

 

[wblock@]

I don't know why, but I always sense a bit of hostility when dealing with the community, even though you all seemed so nice dealing with other users.

I did not mean to sound hostile, it certainly was not intended that way. As I said, it is not you or what you are trying to do; sometimes multi-boot is the right solution. And this seemed like as good a place as any to list the advantages of VMs.

Windows on notebooks was used as an example where power saving features or hardware that is not supported by FreeBSD could still be used by a VM. If Linux works better, that would also be fine as a host. Or use FreeBSD as a host, I do.

As far as VirtualBox storage, virtual hard drives can be a file or an actual partition or drive on the host. A geli(8) partition could be used.