Solved [Solved] Encrypting only FreeBSD partition, not entire disk.

c083d4

c083d4

Hi. My HDD is currently partitioned in four:

Partition 1: FreeBSD-UFS, 48.1gb
Partition 2: FreeBSD-Swap, 1.5gb
Partition 3: WinFLP-NTFS, 3.4gb
Partition 4: Data-NTFS, 98gb

I want to delete Partition 1 and recreate it in ZFS, and then encrypt it... I was testing in a VM and I noticed the ZFS on Root installation 10.0-RELEASE cd's option only encrypts entire HDD's... So I tried manual partitioning, but it doesn't show me any options for encryption..

What can I do?

Thanks.
 
Re: Encrypting only FreeBSD partition, not entire disk.

The installer does not yet have encryption options, I think, so it has to be done by hand. Create partitions, use geli(8) to create an encrypted device, create filesystems on top of that.
 
Re: Encrypting only FreeBSD partition, not entire disk.

The 10.0-RELEASE installer has encryption options, but looks like it only works with ZFS and if you encrypt the entire drive.
Thank's, I'll check geli.
 
Re: Encrypting only FreeBSD partition, not entire disk.

Ok, I'm trying to follow this tutorial: http://www.bsdnow.tv/tutorials/fde
(The section that says "FreeBSD < 10.0")
But there they 're explaining how to do it with gpt, and I need to do it with MBR (Remember that I also have WinFLP on another partition). So, I guess I should modify one of the mentioned lines:

gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

But I don't know how. Please tell me.

And I also have a few doubts: I'd need to use ada0p3 for the third partition, or ada0s1c, as I guess the third subpartition would be listed if I had a third subpartition and I did df -h? (I guess it would be s1c, because I currently have 2 subpartitions, and one es s1a, and the other s1b)
I don't either know what size should /boot be.
 
Re: Encrypting only FreeBSD partition, not entire disk.

Sorry, but I didn't understand the last part: rpool/export/project
Shouldn't it be /dev/ada0s1 or something?
 
Re: Encrypting only FreeBSD partition, not entire disk.

es131245 said:
zfs create -o encryption=on rpool/export/project ?
Click to expand...
Is this command even valid? Is there such a thing as a ZFS "encrpytion" property? I don't see it in zfs(8).
 
Re: Encrypting only FreeBSD partition, not entire disk.

Only in the Oracle version so far, apparently.
 
Re: Encrypting only FreeBSD partition, not entire disk.

I'm looking at a Russian book, and there is an example on encrypting a dev using geom_bde. Maybe you can encrypt this way if your partition is in dev list?
 
Re: Encrypting only FreeBSD partition, not entire disk.

You didn't mention what do you want to do with that pool and more importantly what is that HDD used for. As you were asking about boot loader installation I'm assuming it is indeed bootable HDD.

FreeBSD itself can't yet boot off an encrypted pool (meaning bootloader can't read encrypted data). There has to be an unencrypted partition where kernel is booted from (but that partition can be a ZFS pool). Using your HDD layout you can't do that by deleting partition #1 only.
It would be possible though by deleting #1 and #2 partitions. Partition #1 would be the unencrypted boot partition or a boot ZFS pool, #2 would be the encrypted ZFS pool (well, geli provider to ZFS vdev). Swap could be created inside of this ZFS pool.

Do you want FreeBSD loader to decide which OS to load ? (partion #3 seems like some sort of Windows OS maybe?) If so (assuming ada0 is your disk, not using ZFS as boot pool), you can use:

Code: 
gpart bootcode -b /boot/boot0 ada0
And yes, @trh411 showed you how awesome and easy it is to create an encrypted dataset in Solaris. :)

But do have a look at this thread: http://forums.freebsd.org/viewtopic.php?f=39&t=31662. @vermaden made an awesome howto and there are some good comments there too. I have mentioned there how I've created encrypted notebook with ZFS only layout, which is beadm friendly.

I've noticed you are mixing apples and oranges when it comes to partitions/slices. In MBR layout, disk can have up to 4 primary partitions (which are called slices in BSD). You can see that as /dev/ada0sX. Slice can be further divided into partitions (distinguished by letters). Letter 'c' has a special meaning - it means all raw space of that slice. History by it is actually funny (google knows best :) ).
In GPT layout things are easy - you just use partitions when you divide a disk (without limitations which are with MBR layout).
 
Last edited by a moderator:
Re: Encrypting only FreeBSD partition, not entire disk.

Thanks for your reply! The HDD is used for a desktop computer. Yes, WinFLP = Windows Fundamentals for Legacy Pc's, it's a lite version of WinXP, released by Microsoft back in 2006. I'm dualbooting it along with FreeBSD, for gaming purposes.

I wanted to create an encrypted slice for the FreeBSD system only (Not full disk encryption, because as I said before, I'm dualbooting with WinFLP), and yes, I want the FreeBSD loader to ask me which system do I want to boot. Thanks for telling me the command.

Ok, so I need to delete FreeBSD-UFS and FreeBSD-Swap, then create a new boot slice and another encrypted slice for the system.

I tried to read the thread you recommended me, it looks great, but all that BBCode stuff out of place makes it unreadable... That + the fact that english isn't my native language = headaches :p

Could you please just tell me what do I need to type to create the unencrypted /boot & encrypted / slices before starting BSD Install?
(Never created/deleted partitions using just the command line, I guess it's explained in the Handbook, and the thread I tried to read also gives me an idea, but I'm afraid of understanding it wrong and mess up something... I'm also quite busy with school stuff these days, I don't really have much time to read, try, fail, and reading and trying again.).

Thank you very much.
 
Re: Encrypting only FreeBSD partition, not entire disk.

I just spent a fair amount of time fixing the first post in that beadm thread. There are many more. This is a good example of why our posting guidelines should be followed, and what happens otherwise.
 
Re: Encrypting only FreeBSD partition, not entire disk.

Well, true what @wblock said. You should definitely go through those posts. You'll find all the information there you need.

Note before proceeding you should have a backup of your data at hand! Also try this first in virtual machine to get familiar with those commands before doing something you might regret.
This is the way to achieve what you want (/boot on unencrypted UFS filesystem, encrypted ZFS on /).

Assuming the following layout (this is very close to what you have):

Code: 
# gpart show
=>      63  83886017  ada0  MBR  (40G)
        63   1048572     1  freebsd  (512M)
   1048635  28318185     2  freebsd  (13G)
  29366820  54492480     3  ntfs  (26G)
  83859300     26780        - free -  (13M)
Partition #3 is a bootable Windows XP system. Boot FreeBSD LiveCD (I'm using 9.2 RELEASE). Escape to the shell prompt.

0) Remove partition #1 and #2. Check the layout afterwards.
Code: 
# gpart delete -i 1 ada0
ada0s1 deleted
# gpart delete -i 2 ada0
ada0s2 deleted
#
# gpart show
=>      63  83886017  ada0  MBR  (40G)
        63  29366757        - free -  (14G)
  29366820  54492480     3  ntfs  (26G)
  83859300     26780        - free -  (13M)
#

1) Add new boot partition (#1) and new soon-to-be encrypted vdev for our rpool pool (#2).
Code: 
# gpart add -t freebsd -s 512m ada0
ada0s1 added
# gpart add -t freebsd ada0
ada0s2 added
# gpart show
=>      63  83886017  ada0  MBR  (40G)
        63   1048572     1  freebsd  (512M)
   1048635  28318185     2  freebsd  (13G)
  29366820  54492480     3  ntfs  (26G)
  83859300     26780        - free -  (13M)

#
Now a bit of old magic with new gpart. Create BSD label on ada0s1. Add new partition afterwards. (in BSD lingo: create a partition on a slice #1). Format it with UFS.
Code: 
# gpart create -s bsd ada0s1
ada0s1 created
# gpart add -t freebsd-ufs ada0s1
ada0s1a added
# gpart show
=>      63  83886017  ada0  MBR  (40G)
        63   1048572     1  freebsd  (512M)
   1048635  28318185     2  freebsd  (13G)
  29366820  54492480     3  ntfs  (26G)
  83859300     26780        - free -  (13M)

=>      0  1048572  ada0s1  BSD  (512M)
        0  1048572       1  freebsd-ufs  (512M)

#  newfs -O2 /dev/ada0s1a
/dev/ada0s1a: 512.0MB (1048568 sectors) block size 32768, fragment size 4096
        using 4 cylinder groups of 128.00MB, 4096 blks, 16384 inodes.
super-block backups (for fsck_ffs -b #) at:
 192, 262336, 524480, 786624
#
# gpart show
=>      63  83886017  ada0  MBR  (40G)
        63   1048572     1  freebsd  (512M)
   1048635  28318185     2  freebsd  (13G)
  29366820  54492480     3  ntfs  (26G)
  83859300     26780        - free -  (13M)

=>      0  1048572  ada0s1  BSD  (512M)
        0  1048572       1  freebsd-ufs  (512M)

=>      0  1048572  ufsid/5305374662b6251a  BSD  (512M)
        0  1048572                       1  freebsd-ufs  (512M)

#
2) Create encrypted slice for ZFS. Store the metadata in one place, later it'll be copied to root's home. Attach the volume, so we can use it.
Code: 
# geli init -b -s 4096 -e AES-CBC -l 128 /dev/ada0s2
Enter new passphrase: <you'll enter your password here>
Reenter new passphrase: <you'll enter your password here>

Metadata backup can be found in /var/backups/ada0s2.eli and
can be restored with the following command:

        # geli restore /var/backups/ada0s2.eli /dev/ada0s2

# cp -p /var/backups/ada0s2.eli /tmp
#
# geli attach /dev/ada0s2
Enter passphrase:
#
3) Start the standard ZFS on / procedure. I'll keep it as simple as possible here.
Code: 
# zpool create -o cachefile=/tmp/zpool.cache rpool /dev/ada0s2.eli
cannot mount '/rpool': failed to create mountpoint

# zfs set mountpoint=none rpool
# zfs set atime=off rpool
# zfs set checksum=fletcher4 rpool
# zfs create rpool/ROOT
# zfs create -o mountpoint=/mnt rpool/ROOT/default
4) Small deviation from standard ZFS setup. Our unencrypted boot can't be mounted under /boot directly, we have to do a little workaround here.
Code: 
# mkdir /mnt/bootdir
# mount /dev/ada0s1a /mnt/bootdir
5) Let's setup the boot stuff now, so we don't forget. Note that we need to install bootloader per stages.
Code: 
# zpool set bootfs=rpool/ROOT/default rpool
# gpart bootcode -b /boot/boot0 ada0
bootcode written to ada0
#
# gpart bootcode -b /boot/boot ada0s1
bootcode written to ada0s1
#
# df -m
Filesystem                   1M-blocks Used Avail Capacity  Mounted on
/dev/iso9660/FREEBSD_INSTALL       654  654     0   100%    /
devfs                                0    0     0   100%    /dev
/dev/md0                            30    0    27     1%    /var
/dev/md1                            18    0    17     0%    /tmp
rpool/ROOT/default               13481    0 13481     0%    /mnt
/dev/ada0s1a                       495    0   455     0%    /mnt/bootdir
6) Install the actual FreeBSD.
Code: 
# cd /usr/freebsd-dist
# for i in kernel base lib32; do tar --unlink -xvPjf $i.txz -C /mnt ; done
<--output omitted-->
x ./usr/lib32/pam_permit.so.5
x ./usr/lib32/dtrace/drti.o
x ./usr/bin/ldd32
#
7) Move the /boot data to our ada0s1a partition. Pay attention to the symlink workaround.
Code: 
# cd /mnt/bootdir
# mv /mnt/boot .
# cd /mnt
# ln -s bootdir/boot .
8) Update configuration files. Use editor (vi) to edit files which are shown with cat.
Code: 
# cp -p /tmp/zpool.cache /mnt/boot/zfs
# cat /mnt/boot/loader.conf
zfs_load="YES"
geom_eli_load="YES"
vfs.root.mountfrom="zfs:rpool/ROOT/default"
#
# cat /mnt/etc/fstab
/dev/ada0s1a    /bootdir   ufs   rw 0 0 
#
# cat /mnt/etc/rc.conf
hostname="testbsd"
ifconfig_le0="DHCP"  # NOTE!: this is my virtual adapter under vmware
zfs_enable="YES"
sshd_enable="YES"
#
# cp -p /tmp/ada0s2.eli /mnt/root/
#
9) Cleanup and reboot.
Code: 
# umount /mnt/bootdir/
# zfs umount -a
# zfs set mountpoint=legacy rpool/ROOT/default
# reboot
After reboot you'll see the menu with an option to which OS to boot (by pressing F1,F2..). There will be one additional option (F2, not usable), I can't remember how to remove it from selection. I think there's a way to do it, some file under /boot to be edited.
F1 will boot you to the new FreeBSD, F3 to Windows. When booting FreeBSD you'll be prompted for a passphrase to enter in order to activate the ZFS pool.

EDIT: Yeah. A little rtfm payed off :). You can adjust your boot menu with the following command:
Code: 
boot0cfg -m 0x5 ada0
For further reading check boot0cfg(8)
 
Last edited by a moderator:
Re: Encrypting only FreeBSD partition, not entire disk.

Thank you very much!
To all who helped me with this.
 
Re: [SOLVED]Encrypting only FreeBSD partition, not entire di

@matoatlantis: Sorry, but I didn't know that you need 512mb of ram to use ZFS (I was following your instructions and everything went fine, until I tried to create the zpool. FreeBSD gave me a warning, telling me that I need 512mb of ram).
I guessed I need to use UFS, so instead of creating the zpool I did:

# newfs -U /dev/ada0s1a
# newfs -U /dev/ada0s2.eli

Then on the sixth step I got two errors:

# cd /usr/freebsd-dist
# for i in kernel base lib32; do tar --unlink -xvPjf $i.txz -C /mnt ; done
for: Command not found
i: Undefined variable

What did I do wrong?

Thanks.

P.S.: Since I'm not using ZFS, In step 5 I omitted the following line:
# zpool set bootfs=rpool/ROOT/default rpool
Maybe that was wrong and I need to use a equivalent UFS command instead of just ommiting the line?
 
Re: Encrypting only FreeBSD partition, not entire disk.

Well, more RAM is indeed recommended. You should be possible to use it with even less, but I'm not sure how stable that can be.

That for error seems like you are, most likely, in csh. Verify with:
Code: 
env|grep sh
If so, just execute sh and then try that command again:

Code: 
sh
cd /usr/freebsd-dist
for i in kernel base lib32; do tar --unlink -xvPjf $i.txz -C /mnt ; done
If you are not using ZFS drop any ZFS-related commandand configuration item in my howto.
There are some configuration differences then though; right now I'm just writing them as I think they should be (can't verify now).

/mnt/etc/fstab has to have a / entry:
Code: 
/dev/ada0s2.eli    /    ufs  rw  0 0
/mnt/boot/loader.conf has to have the following line:
Code: 
vfs.root.mountfrom="ufs:/dev/ada0s2.eli"
You have probably noticed though, that you don't have a swap now. This can be done by partitioning /dev/ada0s2.eli. Commands are the same as when ada0s1a was created. You just have to adjust configuration files.
 
Re: Encrypting only FreeBSD partition, not entire disk.

Ok. This time I could do for i in kernel base lib32; do tar --unlink -xvPjf $i.txz -C /mnt ; done
But after decompressing some files I get this error: tar: Error opening archive: Failed to open 'lib32.txz'

What does that command install? FreeBSD + Ports + Games + Source or what? Can't I just use BSD Install? (I guess no, because when I try to edit ada0s2.eli in BSD Install It says: Operation Not Permitted).
 
Re: Encrypting only FreeBSD partition, not entire disk.

c083d4 said:
Ok. This time I could do for i in kernel base lib32; do tar --unlink -xvPjf $i.txz -C /mnt ; done
But after decompressing some files I get this error: tar: Error opening archive: Failed to open 'lib32.txz'
Click to expand...
You didn't mentioned what version of FreeBSD you are trying to install and what architecture you have. Now it seems you have a 32b. Minimum installation is base and kernel. Base is base system (userspace), kernel is kernel+modules. Anything else can be installed afterwards. So just do:

Code: 
 for i in kernel base; do tar --unlink -xvPjf $i.txz -C /mnt ; done
Older versions of bsdinstall didn't know how to use it. Every time I had to install fresh FreeBSD I used the shell. Once you know what has to be done it's actually easier. At least for me.
 
Re: Encrypting only FreeBSD partition, not entire disk.

I mentioned I was using FreeBSD 10.0-Release in the 1st post, although I didn't say I was using i386.
This time I could do all the process without problems...
Thank you very much.

P.S.: I forgot copying ada0s2.eli to my root folder. Hope that wasn't important.
 
Re: [Solved]Encrypting only FreeBSD partition, not entire di

Np.
That backup can come in handy if you, for some reason, loose a geli metadata. Actually you should keep it ouf of encrypted FS as you need to have access to it when the encrypted FS is not available.
You can still make a backup on running system. I suggest you store it somewhere in /boot, maybe in /boot/.keep just so you know you have it safely stored.

Code: 
mkdir /boot/.keep
chmod 700 /boot/.keep
geli backup /dev/ada0s2 /boot/.keep/ada0s2.eli
chflags schg  /boot/.keep/ada0s2.eli
This way you won't erase it by mistake. If you later decide to (re)move that file, execute first:
Code: 
chflags noschg /boot/.keep/ada0s2.eli
 
Re: [Solved]Encrypting only FreeBSD partition, not entire di

When I created this thread I was using FreeBSD 10.0-RELEASE, but now I'm trying to do the same thing on FreeBSD 9.3-RELEASE.
I'm having a problem, when I do mkdir /mnt/bootdir I get this error:
Code: 
mkdir: /mnt/bootdir: Read-only filesystem
I don't now if I'm doing something wrong or it isn't the same on 9.3. Please help.

Thanks to everyone.

Edit: Forgot to mount ada0s2.eli to /mnt
 
Re: Encrypting only FreeBSD partition, not entire d

I have another problem. I've followed the instructions exactly as they were, but after rebooting when I press F1 to boot FreeBSD, nothing happens. The only thing that I see are several "#" flashing on screen. Hopefully, I'm still able to boot into Windows.

http://s28.postimg.org/a8cib2ygr/DSC_0306.jpg

Edit: I fixed the problem with these commands

gpart set -a active -i 1 ada0
gpart bootcode -b /boot/boot ada0s1
boot0cfg -B /dev/ada0
 
You must log in or register to reply here.
Back
Top