harddrive encryption

User Wojtek wojtek at wojtek.tensor.gdynia.pl
Tue Jan 18 23:28:33 UTC 2011

no at installation if you use standard installer.
as i don't use standard installer at all, i don't have such a problem.
i use any bootable FreeBSD media (actualy my own made pendrive), and then make 
labels, do newfs, mount, unpack files etc.

if you can't do that then you may follow my advice

install as usual, but make partitions like

a: root - 10-20GB
b: swap - as you need
d: rest - don't allow to directory

install on a and b.

then after booting your system, and building and installing your kernel with 
GEOM_ELI inside:

geli init -s 2048 (or 4096 whatever fragment size you plan) /dev/ad0d (or ada0d 
or how is your disk named).
geli attach /dev/ad0d

newfs <options here> /dev/ad0d.eli

mount /dev/ad0d.eli /mnt
cd /mnt
tar --exclude /usr -cf - /|tar xpf -
so you have copied all data except /usr to /mnt
then edit /mnt/etc/fstab
make ad0d.eli as root and
ad0a as /usr
then edit /mnt/boot/loader.conf
then reboot to single user mode
after booting
/sbin/mount /usr - should mount fine
cd /usr
and delete with rm -rf everything except usr subdirectory
mv usr/* .
rm -rf usr
cd /
rm -rf boot
ln -s /usr/boot .
then press CTRL-D and you have your encrypted system up.

You don't have /usr encrypted as your software packages are not secred data. 
/usr is a: partition so bootloader boots from here.
/usr/boot is linked to /boot to make it accessible for system programs as 

but your /usr/local/etc may be secred so
cd /usr/local
mv etc /etc/local
ln -s /etc/local etc

this is how i configure my system everywhere i use geli.

More information about the freebsd-questions mailing list