Does 9.0-stable installer support full disc encryption

[Wojciech Puchar]

>
> Wasn't able to find something about this: Do I have a chance to do
> direct installation of a FreeBSD into a full encrpyted environment where
> not only /home, but also e.g. /usr is encrypted? Currently I've got such
as i always say the best installer is no installer, as it supports 
everything you want exactly because YOU do the (simple) instalation steps 
as you want.

Actually except the really first time i tried FreeBSD, i never used it. 
both old sysinstall and new that i even don't know as i don't compile it.

REALLY - grab some usable self-containted DVD/CD/pendrive that boots into 
complete FreeBSD, add compressed install files (may be like distro or your 
own), then just make partitions, newfs then, perform bsdlabel -B (or 
gpart), and unpack.

or make partitions, geli init+geli attach right one, newfs and unpack.


if you want ALL encrypted then:

- make very small /b partition like 100-200 megs unencrypted
- after unpacking from your / partition move /boot to /b/boot, then make a 
link /boot -> b/boot
- in loader.conf add

vfs.root.mountfrom="ufs:yourrootpartition"

ex.

vfs.root.mountfrom="ufs:ada0d.eli"



with standard generic kernel you need

geom_eli_load="YES" in loader.conf too



after all works compile your kernel, make sure GEOM_ELI is compiled in (no 
need for module), and - if you have one of the latest intel CPU, or one of 
the "less latest" VIA CPU apply a driver for hardware accelerated AES 
encryption. speedup of encryption from 50MB/s to 2-3GB/s is quite normal 
:)


actually i usually encrypt everything on such hardware as encryption load 
is not noticable.