how-to: encryption + journaling (geli + gjournal)

[Volker]

For the archives (as I haven't found a nice how-to on this topic):

A short how-to to get geli + gjournal running smoothly (the lazy way,
depending mostly on OS infrastructure, no script hacking needed).

- set up your geli provider:
geli load
geli init /dev/ad0s1d # check geli(8) for this
geli attach /dev/ad0s1d
dd if=/dev/random of=/dev/ad0s1d.eli bs=1m # (use higher values bs=...
for faster operation)

- set up journaling
gjournal load
gjournal label /dev/ad0s1d.eli
newfs -J /dev/ad0s1d.eli.journal


/etc/fstab:
/dev/ad0s1d.eli.journal  /anywhere  ufs rw,async,late 2 2

/etc/rc.conf:
geli_devices="ad0s1d"
geli_ad0s1d_flags="" # depends on how you've setup geli
geli_ad0s1d_autodetach="NO"

/boot/loader.conf
geom_eli_load="YES"
geom_journal_load="YES"

Warning: If you make a mistake, your machine will go into single user
mode on reboot. Don't try this w/o console access.

For a desktop machine, using a passphrase is not that bad (beware of
key loggers).

It's probably not *the* solution for everybody, but isn't that easy to
get security and fault tolerance?