...using sysinstall, and no swap, but you can configure that later on your own. Target disk is ad0, and we'll use complete drive for FreeBSD install.
Installation
Boot FreeBSD install from your favourite medium. Allocate whole disk for FreeBSD slice. Inside that slice, allocate 400MB UFS partition with root mount point (/). Allocate the rest of the slice as /mnt mount point. Proceed with installation, install only base system and kernel, and don't configure anything except root password. Boot and login as root into your new install
Preparation of GELI device
Right now, the future-to-be root filesystem is unencrypted, empty UFS filesystem. It wasn't necessary to create the filesystem itself, but it's the fastest way so you don't need to label stuff manually outside first installation step. Unmount it;
For the sake of example, small root filesystem is ad0s1a, and empty future root is ad0s1d.
Create the GELI keyfile;
Now we initialize GELI encrypted partition with that key, using default encryption algorithm;
Type your passpharse twice.
Let's attach the partition to the system;
Type your passpharse. GELI will create the /dev/ad0s1d.eli block device, which you can access now.
Let's create the filesystem.
So now, we have a UFS filesystem contained inside GELI encrypted partition. This partition will be our encrypted root.
Installation of root filesystem
We'll just copy all relevant files from small root to new root partition. The small root will become the "boot" partition, containing only kernel, and GELI keyfile for root mounting. Let's first mount the new root somewhere;
Now we copy the files,
Repeat the recursive directory copy for every subdirectory of root, except boot directory and the mnt directory. Since we'll mount this directory as root directory on next boot, we'll lose access to the original root filesystem which contains the kernel. We'll do a trick around that;
Edit /mnt/etc/fstab to reflect new configuration;
...and symlink the mounpoint to /boot, so we have the original entry.
Enable GELI root mounting
What's left is to tell kernel that it needs to load GELI, and tell GELI about the encrypted partition and keyfile, so it can ask you for passpharse and create /dev access node, and again tell kernel to mount root from that block device. So we edit the /boot/loader.conf, to contain this;
And it's done. Reboot, you'll be asked for a passpharse, and you'll land in encrypted root filesystem.
Afterwards, you can access the original small root partition at /mnt/boot, and wipe everything except the boot (/mnt/boot/boot) subdirectory.
Installation
Boot FreeBSD install from your favourite medium. Allocate whole disk for FreeBSD slice. Inside that slice, allocate 400MB UFS partition with root mount point (/). Allocate the rest of the slice as /mnt mount point. Proceed with installation, install only base system and kernel, and don't configure anything except root password. Boot and login as root into your new install
Preparation of GELI device
Right now, the future-to-be root filesystem is unencrypted, empty UFS filesystem. It wasn't necessary to create the filesystem itself, but it's the fastest way so you don't need to label stuff manually outside first installation step. Unmount it;
Code:
#umount /mnt
For the sake of example, small root filesystem is ad0s1a, and empty future root is ad0s1d.
Create the GELI keyfile;
Code:
#dd if=/dev/random of=/boot/key bs=64 count=1
Now we initialize GELI encrypted partition with that key, using default encryption algorithm;
Code:
#geli init -b -s 4096 -K /boot/key /dev/ad0s1d
Type your passpharse twice.
Let's attach the partition to the system;
Code:
#geli attach -k /boot/key /dev/ad0s1d
Type your passpharse. GELI will create the /dev/ad0s1d.eli block device, which you can access now.
Let's create the filesystem.
Code:
#newfs /dev/ad0s1d.eli
So now, we have a UFS filesystem contained inside GELI encrypted partition. This partition will be our encrypted root.
Installation of root filesystem
We'll just copy all relevant files from small root to new root partition. The small root will become the "boot" partition, containing only kernel, and GELI keyfile for root mounting. Let's first mount the new root somewhere;
Code:
#mount /dev/ad0s1d.eli /mnt
Now we copy the files,
Code:
#cp -p * /mnt
#cp -Rvp .snap /mnt
#cp -Rvp bin /mnt
#cp -Rvp dev /mnt
.
.
.
Repeat the recursive directory copy for every subdirectory of root, except boot directory and the mnt directory. Since we'll mount this directory as root directory on next boot, we'll lose access to the original root filesystem which contains the kernel. We'll do a trick around that;
Code:
#cd /mnt
#mkdir mnt
#mkdir mnt/boot
#mount /dev/ad0s1a mnt/boot
Edit /mnt/etc/fstab to reflect new configuration;
Code:
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1d.eli / ufs rw 1 1
/dev/ad0s1a /mnt/boot ufs rw 2 2
...and symlink the mounpoint to /boot, so we have the original entry.
Code:
#ln -s /mnt/boot/boot /mnt/boot
Enable GELI root mounting
What's left is to tell kernel that it needs to load GELI, and tell GELI about the encrypted partition and keyfile, so it can ask you for passpharse and create /dev access node, and again tell kernel to mount root from that block device. So we edit the /boot/loader.conf, to contain this;
Code:
geom_eli_load="YES"
geli_ad0s1d_keyfile0_load="YES"
geli_ad0s1d_keyfile0_type="ad0s1d:geli_keyfile0"
geli_ad0s1d_keyfile0_name="/boot/key"
vfs.root.mountfrom="ufs:ad0s1d.eli"
And it's done. Reboot, you'll be asked for a passpharse, and you'll land in encrypted root filesystem.
Afterwards, you can access the original small root partition at /mnt/boot, and wipe everything except the boot (/mnt/boot/boot) subdirectory.