Installing FreeBSD on an encrypted volume
Robert Simmons
rsimmons0 at gmail.com
Fri May 13 05:16:52 UTC 2011
I have been trying to get FreeBSD installed on an encrypted volume and I've
run into an annoying problem. Before I describe the problem, let me explain
what I have done so far.
first I used gpart to make GPT partitions: one freebsd-boot, two
freebsd-ufs. The freebsd-boot is 64k and the following command installed
the boot code:
# gpart bootcode -b /mnt2/boot/pmbr -p /mnt2/boot/gptboot -i 1 ad0
The second freebsd-ufs is 200M for /boot and the third is for the GELI based
encrypted swap and /. I used geli to encrypt ad0p3 and again used gpart to
carve it into two BSD slices, one 512m for swap and the other the rest of
the disk for /.
After everything is newfs'd and ad0p1 and ad0p3.elib are mounted as
/mnt/boot and /mnt/root respectively, I did "export DESTDIR=/mnt/root" and
ran the install.sh scripts in /dest/8.2-RELEASE/base and
/dest/8.2-RELEASE/kernels.
The next thing I did was to modify the /mnt/root/boot/loader.conf file so
that it loads the geom_eli module and edit the /mnt/root/boot/device.hints
file so that the password on boot works correctly for the encrypted volume.
And I moved /mnt/root/boot/GENERIC to /mnt/root/boot/kernel.
Then I copied the contents of /mnt/root/boot to /mnt/boot. I created a
directory /mnt/boot/etc and made a fstab and put one copy there and another
copy in /mnt/root/etc
This works great, however, I am left with /boot in two different places and
/etc/fstab in two places as well. I would like to know if someone can come
up wth a more elegant solution to this. At the moment I am mounting
/dev/ad0p2 as /bootdir and whenever I update the system, once the update is
done, I just do an archival copy of the contents of /boot into /bootdir/boot
and if there is a change to fstab I make the change in both places.
I understand that /boot cannot be encrypted (at the moment, until things
change). But I would like to have /boot mounted directly from /dev/ad0p2 so
there is only one copy of it.
Any thoughts?
More information about the freebsd-questions
mailing list