[Tutorial] Full disk encryption install with external boot cd on an old laptop

Documenting here so that I can find it later ... and maybe it can be useful to someone...

Target computer
: an old laptop which has not enough memory to support ZFS.
Problem to be solved: laptop contains sensitive information but may stay unattended and is vulnerable to the "evil maid" attack. Therefore it must only boot from a "trusted" read only device.
Other problem: the laptop does not support USB boot, but it contains a CD writer which you can not use during the install since the slot is occupied by the Install CD.

Based on: https://vesterman.com/FreeBSD/FullDiskEncryption

As on the above link we will use UFS + GELI.
The laptop contains only one disk which appears as "ada0". The swap partition will be on "ada0p1" and the root partition on "ada0p2". After decryption they will appear as ada0p1.eli and ada0p2.eli.
This tutorial is written using FreeBSD 10.3 RELEASE.

Step 1. Perform a throwaway install of FreeBSD
- Download and burn the FreeBSD Install CD, boot and perform a standard installation up to the point where you have a functional network. Reboot.
- Copy the followings scripts on a USB key and mount it ( mount -t msdosfs /dev/da0s1 /media should do the job).
- Insert a blank CDR into the drive and run the script:

pkg install -y cdrtools

mkdir -p /root/isocd
cp -av /boot /root/isocd/

cat >>/root/isocd/boot/loader.conf<<EOF

mkisofs -R -no-emul-boot -b boot/cdboot -o /root/bootcd.iso /root/isocd

read -p "Please insert a blank CDR" X
cdrecord -v /root/bootcd.iso

At this point you will have a bootable CD that will contain the kernel and will ask you your password to mount a GELI container on ada0p2 which contains the root partition.

Step 2. Perform your real install of FreeBSD
- Reboot on the install CD
- On the Partitionning screen, choose "Shell"
- Mount your USB key and run this script
- Be careful when choosing your encryption password. During the install you have your usual "local" keyboard (the one you choose at the first install screen), during the boot you will have a "US" keyboard (QWERTY) and that's where you will have to supply the password.


set -x

read -p "Last chance to stop before destroying ada0 ... OK ? (CTRL-C to stop)" X

# Destroy existing partitions
gpart destroy -F ada0
# Partition the Hard Drives
gpart create -s gpt ada0
# Create the swap partition
gpart add -t freebsd-swap -a 1M -l swap -s 512M ada0
# Create the root partition
gpart add -t freebsd-ufs -a 1M -l root ada0
# Prepare the root partition for encryption
geli init -b -s 4096 ada0p2
# GELI attach the encrypted partition
geli attach ada0p2
# Create file systems
newfs -U /dev/ada0p2.eli
# Mount the target partition
mount /dev/ada0p2.eli /mnt

# Create FSTAB
cat >>/tmp/bsdinstall_etc/fstab<<EOF
# Device  Mountpoint  FStype  Options  Dump  Pass#
/dev/ada0p1.eli  none  swap  sw  0  0
/dev/ada0p2.eli  /  ufs  rw  1  1
# Create loader.conf
cat >>/tmp/bsdinstall_boot/loader.conf<<EOF
- Exit the shell, continue the install as usual
- Reboot on the CD, eject it after the boot
- Store it securely and check that it has not been tampered with each time you boot.

Feedback welcome.
Last edited: