HOWTO: FDE FreeBSD 9.0-RC1, GELI+ZFS on root with boot from USB stick.

B

bes

Greeting, I had a bit time, free slice on the disk with MBR and the desire to play with the new installation of FreeBSD 9.0-RC1 .
Below is just a simple example ; there will be one ZFS filesystem on /, no swap, no keys for GELI, passphrase only. Nevertheless, I decided to share the method which can be used in different setups and configurations.

My setup consists of:
ada0 - hard drive
ada0s1 - slice will be used for ZFS
da0 USB stick - for booting

1. Boot with your FreeBSD install disk and choose “Lice CD” when prompted, login as root, no password is required.
2. This step is optional but it's a good idea.
Code: 
dd if=/dev/urandom of=/dev/ada0s1
dd if=/dev/urandom of=/dev/da0
3. bsdlabeling:
Code: 
bsdlabel -w /dev/ada0s1
4. Loading the required modules:
Code: 
kldload geom_eli zfs
5. Labeling partition:
Code: 
glabel label zrpool /dev/ada0s1a
6. Initiation and attachment GELI:
Code: 
geli init -b /dev/label/zrpool
geli attach /dev/label/zrpool
7. Creation ZFS pool and FS:
Code: 
zpool create -O mountpoint=/mnt -O canmount=off zrpool /dev/label/zrpool.eli
zfs create -o mountpoint=legacy zrpool/FreeBSD
8. Installation FreeBSD:
Code: 
mount -t zfs zrpool/FreeBSD /mnt
tar -xf /usr/freebsd-dist/base.txz -C /mnt
tar -xf /usr/freebsd-dist/kernel.txz -C /mnt
You can select and install something else, please take a look at /usr/freebsd-dist/
9. USB stick, preparation:
Code: 
fdisk -BI /dev/da0
bsdlabel -B -v /dev/da0s1
newfs /dev/da0s1a
10. Copying /boot to USB stick:
Code: 
mkdir /tmp/usbboot
mount /dev/da0s1a /tmp/usbboot
cp -Rp /mnt/boot /tmp/usbboot/
11. Creation fstab and loader.conf:
a) create /tmp/usbboot/boot/loader.conf and add the following lines:
Code: 
geom_eli_load="YES"
zfs_load="YES"
# aesni_load="YES"  # option see man aesni
vfs.root.mountfrom="zfs:zrpool/FreeBSD"
b) create /mnt/etc/fstab:
Code: 
# cat > /mnt/etc/fstab
zrpool/FreeBSD / zfs rw 0 0
^D
12. Generation and recording zpool.cache to USB stick:
Code: 
zpool export zrpool
zpool import -o cachefile=/tmp/usbboot/boot/zfs/zpool.cache zrpool
13. Change pool mountpoint to /
Code: 
zfs set mountpoint=/ zrpool
14. Finish.
Code: 
shutdown -r now
* On boot the system will load kernel and modules from the USB stick and you'll be asked for passphrases to the GELI disk before the system will run.
 
Hi,

Sounds pretty fine, is it possible to boot from the USB stick without any password interruption? The thing is, I want a fully encrypted server, with a kind of "dongle", a stick which decides if the machine can access the harddisks or not. Therefore your article is nearly perfect; just the issue with the password before booting. Do you have an idea?
 
weiter im Protokoll :)

Hab jetzt alles 1:1 uebernommen und hab alles schoen durchbekommen.
Nach dem reboot bootet er aber nicht vom stick (bios settings angepasst)

Es kommt garnichts, nur... das er halt nix zum booten findet, oder sollte ich dann die installationscd nochmal starten damit?

lg danke

Only English-language posts are allowed here. read the forum rules.
 
PTVi said:
... is it possible to boot from the USB stick without any password interruption?..
Click to expand...
Yes of course.
6.Initiation and attachment GELI:
Code: 
mkdir /boot/keys
dd if=/dev/random of=/boot/keys/zrpool.key bs=128k count=1
geli init -b -P -K /boot/keys/zrpool.key /dev/label/zrpool
11.
a)create /tmp/usbboot/boot/loader.conf
You need to add those lines to /tmp/usbboot/boot/loader.conf:
Code: 
geli_label_zrpool_keyfile0_load="YES"
geli_label_zrpool_keyfile0_type="label/zrpool:geli_keyfile0"
geli_label_zrpool_keyfile0_name="/boot/keys/label_zrpool.key"
ondra_knezour said:
... then remove -b option.
Click to expand...
Don't do it for your root disk\slice.
 
bes said:
Don't do it for your root disk\slice.
Click to expand...

From geli manpage linked above
-b Ask for the passphrase on boot, before the root partition is mounted. This makes it possible to use an encrypted root partition. One will still need bootable unencrypted storage with a /boot/ directory, which can be a CD-ROM disc or USB pen-drive, that can be removed after boot.
Click to expand...

Does your statement mean, that without this option wouldn't be root slice unencrypted during boot even if it is encrypted only with key without password?
 
Yes it does. One of examples in the geli(8) manpage shows how to configure two providers which will be attached on boot (before the root file system is mounted). One of them is using passphrase and three keyfiles and the other is using only a key-file.
 
I see. In such case should be -b switch description changed from "Ask for the passphrase on boot..." to something better describing its function, shouldn't be?
 
Hey guys,

I am addicted to this stuff, it sounds so fantastic and I am pretty sure there is just a point which seperates me from the target

On http://www.ducsu.at/wissenswiki/doku.php?id=zfs_vollverschluesselung I described what I did step by step. there where no error messages so far. The only thing is that if I want to boot from the stick it says "no system available" --> which means he can not boot from the stick.

Any ideas?

Best regards and great thanks,
P
 
This howto was written for disk with MBR (see above), if you really need the GPT scheme please take a look at this post in the thread. Unfortunately you have made a few typos and inaccuracies in your paragraphs: Keys , Initiation and attachment GELI and Creation fstab and loader.conf.
 
Help i need somebody

Hi again,

After doctoring for more than 4 hours yesterday and two hours today I give up with reading myself to death.

Can someone of you fix my wiki thread LINK or help me via skype or any other messenger? For me it is still unclear how this all works together.

Thanks to the community (to you guys).

Best regards and many thanks,
Patrick
 
Please post output from:
[CMD="ls"] -l /dev/ad*[/CMD]and
[CMD="gpart"]show[/CMD]well,
 
Pics

Hey,

Here are the requested pics :e

IMG_0114.jpg
IMG_0116.jpg

I will let him on until you tell me something, that the status doesn't change.

Thanks in advance,
Pat
 
Well,
Code: 
dd if=/dev/urandom of=/dev/ada0 bs=1M count=1
dd if=/dev/urandom of=/dev/da0 bs=1M count=1

fdisk -I /dev/ada0
bsdlabel -w /dev/ada0s1
glabel label zrpool /dev/ada0s1a

mkdir /tmp/keys
dd if=/dev/urandom of=/tmp/keys/zrpool.key bs=128k count=1
geli init -b -P -K /tmp/keys/zrpool.key /dev/label/zrpool
geli attach -p -k /tmp/keys/zrpool.key /dev/label/zrpool

zpool create -O mountpoint=/mnt -O canmount=off zrpool /dev/label/zrpool.eli
zfs create -o mountpoint=legacy zrpool/FreeBSD

mount -t zfs zrpool/FreeBSD /mnt
tar -xf /usr/freebsd-dist/base.txz -C /mnt
tar -xf /usr/freebsd-dist/kernel.txz -C /mnt

fdisk -BI /dev/da0
bsdlabel -B -w /dev/da0s1
newfs /dev/da0s1a

mkdir /tmp/usbboot
mount /dev/da0s1a /tmp/usbboot
cp -Rp /mnt/boot /tmp/usbboot/
cp -Rp /tmp/keys /tmp/usbboot/boot/

# vi /mnt/boot/loader.conf add:
# obey the syntax rules !

geom_eli_load="YES"
zfs_load="YES"
geli_label_zrpool_keyfile0_load="YES"
geli_label_zrpool_keyfile0_type="label/zrpool:geli_keyfile0"
geli_label_zrpool_keyfile0_name="/boot/keys/label_zrpool.key"
# aesni_load="YES"  # option see man aesni
vfs.root.mountfrom="zfs:zrpool/FreeBSD"

# vi /mnt/etc/fstab add:

zrpool/FreeBSD / zfs rw 0 0

zpool export zrpool
zpool import -o cachefile=/tmp/usbboot/boot/zfs/zpool.cache zrpool

zfs set mountpoint=/ zrpool

shutdown -r now
 
Code: 
dd if=/dev/urandom of=/dev/ada0 bs=1M count=1
dd if=/dev/urandom of=/dev/da0 bs=1M count=1

fdisk -I /dev/ada0
[B]to get s1 you need to create a partition ?!?! i did [I]gpart add -t freebsd ada0[/I][/B]
bsdlabel -w /dev/ada0s1
glabel label zrpool /dev/ada0s1a

mkdir /tmp/keys
dd if=/dev/urandom of=/tmp/keys/zrpool.key bs=128k count=1
geli init -b -P -K /tmp/keys/zrpool.key /dev/label/zrpool
geli attach -p -k /tmp/keys/zrpool.key /dev/label/zrpool

zpool create -O mountpoint=/mnt -O canmount=off zrpool /dev/label/zrpool.eli
zfs create -o mountpoint=legacy zrpool/FreeBSD

mount -t zfs zrpool/FreeBSD /mnt
tar -xf /usr/freebsd-dist/base.txz -C /mnt
tar -xf /usr/freebsd-dist/kernel.txz -C /mnt

[B]fdisk -BI /dev/da0[/B] did not work I is not recognized
bsdlabel -B -w /dev/da0s1
newfs /dev/da0s1a

mkdir /tmp/usbboot
mount /dev/da0s1a /tmp/usbboot
cp -Rp /mnt/boot /tmp/usbboot/
cp -Rp /tmp/keys /tmp/usbboot/boot/

# vi /mnt/boot/loader.conf add:
# obey the syntax rules !

geom_eli_load="YES"
zfs_load="YES"
geli_label_zrpool_keyfile0_load="YES"
geli_label_zrpool_keyfile0_type="label/zrpool:geli_keyfile0"
geli_label_zrpool_keyfile0_name="/boot/keys/label_zrpool.key"
# aesni_load="YES"  # option see man aesni
vfs.root.mountfrom="zfs:zrpool/FreeBSD"

# vi /mnt/etc/fstab add:

zrpool/FreeBSD / zfs rw 0 0

zpool export zrpool
zpool import -o cachefile=/tmp/usbboot/boot/zfs[I](was not found but without zfs he found zpoo.cache)[/I]/zpool.cache zrpool

zfs set mountpoint=/ zrpool

shutdown -r now

Any ideas?
 
PTVi said:
to get s1 you need to create a partition ?!?! i did gpart add -t freebsd ada0
Click to expand...
and according to http://www.ducsu.at/wissenswiki/doku.php?id=zfs_vollverschluesselung:

[CMD=""]gpart create -s GPT ada0[/CMD] Why not -s MBR, why not -t freebsd-zfs, why not use -l instead of glabel, whereis bootcode on da, too many "why?".

I do not like to mix MBR and GPT. You can do it, but you should understand what you are doing and deal with it yourself. I'm sorry, but those experiments did not interest me, at least for now.

Also I'm too lazy :r to work out your actions in detail.
fdisk -BI /dev/da0 did not work I is not recognized
Click to expand...
It would be nice to know exactly what fdisk said, unfortunately your video has been removed . In any case this is strange, it works good for me. You can try the interactive mode:
[CMD=""]fdisk -Bi /dev/da0[/CMD] Good luck :)
 
You must log in or register to reply here.
Back
Top