# HOWTO: Quick GELI encryption guide



## bbzz (Feb 9, 2012)

There are many ways to do this, as presented on forum, but this is the simplest method I've used.

This assumes you are using UFS for your disks. I will encrypt my AsusEEE which I carry with me everywhere and holds sensitive data.
This guide will encrypt whole disk, while using another small partition to */boot* system.


*1.* Boot installation CD/USB, go to "Live CD".
*2.* Destroy previous partitioning

```
dd if=/dev/zero of=/dev/ada0 bs=512 count=1
```

Note: If you previously used GPT scheme on this disk, destroy it with

```
gpart destroy -F ada0
```

*3.* Use *gpart* to create partitions/bsdlabels

```
gpart create -s mbr ada0
gpart add -t freebsd -a 4k -s 768m ada0  # This is [FILE][B]/boot[/B][/FILE], enough to hold two full kernels
gpart add -t freebsd -a 4k         ada0  # This will be encrypted

gpart create -s bsd ada0s1
gpart add -t freebsd-ufs -a 4k ada0s1

gpart bootcode -b /boot/mbr ada0
gpart bootcode -b /boot/boot ada0s1
gpart set -a active -i 1 ada0
```

*4.* Label second partition

```
glabel label -v eee /dev/ada0s2
```

*5.* Init/attach *geli* 

```
geli init -b -s4096 -l256 /dev/label/eee
geli attach /dev/label/eee
```
Note: speed difference between AES128 and AES256 is minimal at best, use AES256.

*6.* Now create bsdlabels for that second partition:

```
gpart create -s bsd /dev/label/eee.eli
gpart add -t freebsd-ufs  -s 768m /dev/label/eee.eli # /
gpart add -t freebsd-swap -s 512m /dev/label/eee.eli # swap
gpart add -t freebsd-ufs  -s 512m /dev/label/eee.eli # /var
gpart add -t freebsd-ufs  -s 512m /dev/label/eee.eli # /tmp
gpart add -t freebsd-ufs  -s 10g  /dev/label/eee.eli # /usr
gpart add -t freebsd-ufs          /dev/label/eee.eli # /home
```
Note: YMMV.

*7.* *newfs* everything you created so far:

```
newfs /dev/ada0s1a
newfs -j /dev/label/eee.elia
newfs -j /dev/label/eee.elid
newfs -j /dev/label/eee.elie
newfs -j /dev/label/eee.elif
newfs -j /dev/label/eee.elig
```

*8.* Mount your base system:

```
mount /dev/label/eee.elia /mnt
mkdir /mnt/var
mkdir /mnt/usr
mkdir /mnt/home
mount /dev/label/eee.elid /mnt/var
mount /dev/label/eee.elif /mnt/usr
```

*9.* Install:

```
sh
cd /usr/freebsd-dist
export DESTDIR=/mnt
for file in base.txz kernel.txz doc.txz src.txz
do
cat $file | tar --unlink -xpJf - -C ${DESTDIR:-/}
done
```

*10.* Add stuff to *loader.conf*:

```
echo 'geom_eli_load="YES"' > /mnt/boot/loader.conf
echo 'vfs.root.mountfrom="ufs:/dev/label/eee.elia"' >> /mnt/boot/loader.conf
```

*11.* And to *fstab*:

```
cat > /mnt/etc/fstab << __EOF__
/dev/label/eee.elia /     ufs    rw               1 1
/dev/label/eee.elib none  swap   sw               0 0
/dev/label/eee.elid /var  ufs    rw               2 2
/dev/label/eee.elie /tmp  ufs    rw,noatime,async 2 2
/dev/label/eee.elif /usr  ufs    rw               2 2
/dev/label/eee.elig /home ufs    rw               2 2
proc                /proc procfs rw               0 0
__EOF__
```

Note: YMMV.

*12.* Finally, copy boot contents to first partition you'll be booting from:

```
mount /dev/ada0s1a /tmp
cp -Rvp /mnt/boot /tmp/
```

*13.* *reboot*

Additional notes:

- Remember that your */boot* that gets read at boot time is sitting on separate unencrypted partition, which was the whole point of creating it. This means that every change you make on encrypted partition which holds /boot should be copied to encrypted partition (such as building a new kernel, OR adding new nvidia.ko file, etc).
   You could have your separate /boot partition mounted whole time, but I prefer not to.
   You could also have /boot on small USB that you can plug in at boot time and then plug out after booting is done.
Pointed out by *@fonz*, thank you.


- If you have separate /tmp partition, don't forget to change its permissions like so:
`# chmod 1777 /mnt/tmp` 
(or wherever is your /tmp). I figured this is a given 'housekeeping', so didn't mention it originally. Thanks for remind.

- If you get to part where *geli* can't mount correctly (mountfrom... error), change (in *loader.conf*): 

```
vfs.root.mountfrom=ufs:/dev/label/eee.elia
```
to

```
vfs.root.mountfrom=ufs:/dev/ada0s2.elia
```
(or wherever is your encrypted root partition).


----------



## ryu (Mar 14, 2012)

bbzz said:
			
		

> *5.* Init/attach *geli*
> 
> ```
> geli init -b -s4096 -l256 /dev/label/eee
> ```



Doesn't work for me.


----------



## fonz (Mar 14, 2012)

ryu said:
			
		

> Doesn't work for me.


Care to elaborate? We're not mind readers you know. Why doesn't it work for you?

Do you get error messages? Does it cause the system to freeze up? Does it cause the kernel to crash? Does it fail to give you a cookie? Did it ruin your soup? Just saying "doesn't work for me" is not particularly helpful.

Fonz

P.S. Try it with spaces in the arguments like this (the red underscores are spaces):

```
geli init -b -s[red]_[/red]4096 -l[red]_[/red]256 /dev/label/eee
```


----------



## ryu (Mar 22, 2012)

fonz said:
			
		

> Care to elaborate?
> P.S. Try it with spaces in the arguments like this (the red underscores are spaces):
> 
> ```
> ...



I got just a syntax error. I've mistken the "-l 256" as "-1 256". Sorry. 

But *I* have problems with another step now.

OP is saying:



> newfs *everything* you created so far:



But you don't *newfs* the /dev/label/eee.elib, the swap space. Is this correct?

Also *I* don't understand this step:



> And to fstab:



How to do this? I can't open it with vi or something. Should *I* just type the commands like all the other in the shell?


```
cat > /mnt/etc/fstab << __EOF__
/dev/label/eee.elia /     ufs    rw               1 1
/dev/label/eee.elib none  swap   sw               0 0
/dev/label/eee.elid /var  ufs    rw               2 2
/dev/label/eee.elie /tmp  ufs    rw,noatime,async 2 2
/dev/label/eee.elif /usr  ufs    rw               2 2
/dev/label/eee.elig /home ufs    rw               2 2
proc                /proc procfs rw               0 0
__EOF__
```


----------



## bbzz (Mar 22, 2012)

ryu said:
			
		

> But you don't newfs the "/dev/label/eee.elib", the swap space. Is this correct?



Yes.



> Should i just type the commands like all the other in the shell?
> 
> 
> ```
> ...



I made it convenient to just copy/paste this. Or you could type it manually.


----------



## ryu (Mar 22, 2012)

bbzz said:
			
		

> Or you could type it manually.



All right. I would type it manually directly in the shell, yes? Or should *I* open /mnt/etc/fstab with an editor (which?) and type it there?


----------



## kpa (Mar 22, 2012)

The construct you see at point 11. is called a "here document". It basically inserts what's between the markers __EOF__ into the input stream as if it was typed at that point (the << signs) manually. Try it by changing the file name on the first for example to /tmp/fstab.


----------



## ryu (Mar 22, 2012)

Oh well. I just want to type this all manually. How exectly can *I* do this? Sorry for all the questions, but *I* don't get it.

I understand step 11 like this:

Open /mnt/etc/fstab, type in this code and save. 
	
	



```
/dev/label/eee.elia /     ufs    rw               1 1
/dev/label/eee.elib none  swap   sw               0 0
/dev/label/eee.elid /var  ufs    rw               2 2
/dev/label/eee.elie /tmp  ufs    rw,noatime,async 2 2
/dev/label/eee.elif /usr  ufs    rw               2 2
/dev/label/eee.elig /home ufs    rw               2 2
proc                /proc procfs rw               0 0
```

I just want to know how *I* can do this, directly from the shell. I can't open it with vi.


----------



## kpa (Mar 22, 2012)

You can copy/paste it all into a terminal window and it just works


----------



## fonz (Mar 22, 2012)

ryu said:
			
		

> But you don't newfs the "/dev/label/eee.elib", the swap space. Is this correct?


More or less. Actually, it doesn't matter. You *can* newfs(8) the swap partition, it doesn't do any harm. But there's no point either because the filesystem will simply be overwritten (i.e. destroyed) the first time the swap partition is being used.

In other words: you don't need to newfs the swap partition, but it's not a problem if you accidentally do.



			
				ryu said:
			
		

> Should i just type the commands like all the other in the shell?
> 
> 
> ```
> ...


In the end, you need to _somehow_ place the above lines minus the red ones into the file /mnt/etc/fstab. Exactly how you do that is entirely up to you. If you have copy-paste available, you can just copy-paste the entire thing (including the red lines) as one single command. You can also type it manually. Alternatively, you could use seperate echo commands: type something like
`# echo "/dev/label/eee.elia / ufs rw 1 1" >> /mnt/etc/fstab`
for every line except the red ones (don't forget to use >> and not >). And lastly, if you use FreeBSD 9.0 and choose "Live CD" in bsdinstall(8), vi(1) should be available.

Not to invalidate anything kpa said, on the contrary. But perhaps this clarifies things a bit further.

Fonz


----------



## ryu (Mar 22, 2012)

Great. Thanks for the info. I will try this out.

Another question, why is it neccessary to create swap, /var, /tmp, /usr, /home in this guide manually? I found this tutorial http://namor.userpage.fu-berlin.de/howto_fbsd9_encrypted_ufs.html and it looks way more simple. (not only from the manually typing-side  ) What exactly is the difference between this two methods? Is one more secure? I just want to encrypt my whole HDD and don't know which method *I* should use.


----------



## bbzz (Mar 22, 2012)

The method I used is better [1].

Other method uses GPT. With GPT you can only create partitions. That means for every partition you need, */*, */var*, */usr*, etc, you need another *geli* encrypted partition. This is quite a hassle when you boot a system, and puts quite a bit of additional resource penalty because now you have many encrypted partitions.

This tutorial uses MBR, which allows you to create bsdlabes inside slices, thereby allowing you to *geli* encrypt only one slice, and add all mentioned bsdlabels inside that one slice.

If you want only */* partition, then it doesn't matter.

Also, there are examples which put swap on different slice and use one-time *geli* encryption upon boot. In this method you don't do that since swap is just another bsdlabel, making it overall simpler.

As for taking it longer to configure, I don't see how that would matter. Configuration is pretty straightforward and you are suppose to only do this once [2].


[1] What I would consider better might not be necessarily better for you. However, I would consider this method objectively better.
[2] Unless this is your first time and you are likely to blow up something and try it again.


----------



## _martin (Mar 22, 2012)

bbzz said:
			
		

> Other method uses GPT. With GPT you can only create partitions.



On the contrary, you can do the same with GPT:


```
foxi:(~)# gpart create -s gpt md0
md0 created
foxi:(~)# gpart show md0
=>     34  1048509  md0  GPT  (512M)
       34  1048509       - free -  (512M)

foxi:(~)# gpart add -t freebsd-zfs -s 128M md0
md0p1 added
foxi:(~)# gpart add -t freebsd md0
md0s2 added
foxi:(~)# gpart create -s bsd /dev/md0s2
md0s2 created
foxi:(~)# gpart add -t freebsd-ufs -s 64M /dev/md0s2
md0s2a added
foxi:(~)# gpart add -t freebsd-ufs -s 64M /dev/md0s2
md0s2b added
foxi:(~)#
```

You can check the label:


```
foxi:(~)# bsdlabel /dev/md0s2
# /dev/md0s2:
8 partitions:
#          size     offset    fstype   [fsize bsize bps/cpg]
  a:     131072          0    4.2BSD        0     0     0
  b:     131072     131072    4.2BSD        0     0     0
  c:     786365          0    unused        0     0     # "raw" part, don't edit
foxi:(~)#
```

`# gpart show`

```
=>     34  1048509  md0  GPT  (512M)
       34   262144    1  freebsd-zfs  (128M)
   262178   786365    2  freebsd  (384M)

=>     0  786365  md0s2  BSD  (384M)
       0  131072      1  freebsd-ufs  (64M)
  131072  131072      2  freebsd-ufs  (64M)
  262144  524221         - free -  (256M)
```

IMHO BSD slices are just pain .. pure pain .. specially when filesystem needs to be extended.


----------



## fonz (Mar 22, 2012)

The latter is true. It is perfectly possible to first encrypt the "raw" disk with geli and then GPT-partition that one "container". In fact, I did exactly that mere days ago on my netbook. However, if for whatever reason you need to put the (always required) unencrypted boot partition on the same disk (instead of, say, a USB flash drive), you're forced to partition before encrypting and then you'll probably have to either use several containers indeed or use MBR+disklabel (one container per slice).

Just for completeness and/or clarity: if you do need to use several containers, it's possible to configure things such that "unlocking" (for lack of a better word) encryption only requires keyfiles rather than a whole bunch of passwords.

Perhaps I (or someone else) should write a complete encryption guide covering all sorts of setups. In fact I've already started just that but unfortunately I'm kinda busy (researching model checking for the Large Hadron Collider, among other things) and don't have a whole lot of free time to work on it.

Fonz


----------



## redw0lfx (Mar 22, 2012)

Is there a noticeable impact with encrypting the OS partitions vs just running plain UFS?  I am running an AMD FX6100 with 6GB of RAM.  I don't do as much disk i/o since half my time is spend ssh'd into other systems, but am wondering if I will notice the difference?


----------



## fonz (Mar 22, 2012)

redw0lfx said:
			
		

> Is there a noticeable impact with encrypting the OS partitions vs just running plain UFS?


I haven't done any benchmarking nor am I aware of others having done any, but my experience is that the performance penalty is not significant.

Fonz


----------



## bbzz (Mar 23, 2012)

Ah, that's nice, I didn't even thought GPT and bsdlabels.

In the end both methods work, I really don't see any difference. If anything, I found out that my Toshiba laptop won't boot GPT without BIOS hack, unfortunately.


----------



## ryu (Mar 24, 2012)

fonz said:
			
		

> Perhaps I (or someone else) should write a complete encryption guide covering all sorts of setups. In fact I've already started just that but unfortunately I'm kinda busy (researching model checking for the Large Hadron Collider, among other things) and don't have a whole lot of free time to work on it.



I would really appreciate it.


----------



## bbzz (Mar 24, 2012)

So ryu, did you manage to get it working?


----------



## ryu (Mar 24, 2012)

Yes, I have managed to get it working on virtualbox at least. I've done the steps 10 and 11 with ee though. I will try it again on a physical drive later. Thanks for all the help and the nice guide.

I would like to know how to configure my LAN/DHCP settings to install GNOME etc. It was done automatically by sysinstall, but I don't know how to do it manually.


----------



## bbzz (Mar 24, 2012)

I suggest you open another thread for that, then someone will help you.


----------



## ryu (Mar 24, 2012)

I've managed it now to install it also on my real system. Many thanks for this guide.


----------



## bbzz (Mar 24, 2012)

You are welcome mate.


----------



## redw0lfx (Mar 25, 2012)

Many thanks as well. Configured FreeBSD on HP Mini-210 netbook using this guide, and I did not notice any difference in speed or disk i/o during write operations.  I found it just a bit simpler setup than using LVM on CryptFS drive on ArchLinux (LVM on top of encrypted container).


----------



## ryu (Mar 27, 2012)

I found an installer script for FreeBSD 9.0 and was wondering if it would be possible to implement the encryption part in this script?

I'm not asking for someone doing it, just wondering if it would be possible at all, for example with a preconfigured passphrase in the script.


```
#!/bin/sh
####
### Autor: hoschi@anukis.de
####

### Config
scriptversion="1.0"
freebsdversion="9.0"
sourcedir="/usb/FreeBSD_install"
destinationdir="/mnt/install"
installdir="/mnt"
prg_gpart="/sbin/gpart"

### Program (DONT TOUCH)
DONE="\033[80C\033[11D\033[1;34m -= OK =-\033[m"
i386pkg="base.txz doc.txz games.txz kernel.txz ports.txz src.txz"
amd64pkg="base.txz doc.txz games.txz kernel.txz lib32.txz ports.txz src.txz"
freebsdurl="http://ftp2.de.freebsd.org/pub/FreeBSD/releases"
usage="usage: $0 ad|da|ada[0123456789] i386|amd64

i386 or amd64 is optional

Example:
$0 ada0 
or
$0 da2 amd64 
"
clear
echo "starting installer version ${scriptversion} for FreeBSD ${freebsdversion}"
case "${1}" in
  ad[0-9]|da[0-9]|ada[0-9])
  echo " --> installing FreeBSD on ${1}"
  echo -n "  --> destroy all partitions on ${1}"
  ${prg_gpart} destroy -F ${1} >/dev/null 2>&1
  echo -e "${DONE}"
  echo -n "  --> create GPT on ${1}"
  ${prg_gpart} create -s gpt ${1} >/dev/null 2>&1
  echo -e "${DONE}"
  echo -n "  --> create boot partition on ${1}"
  ${prg_gpart} add -s 128k -t freebsd-boot -l boot -i 1 ${1} >/dev/null 2>&1
  echo -e "${DONE}"
  echo -n "   --> insert bootcode on ${1}"
  ${prg_gpart} bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ${1} >/dev/null 2>&1
  echo -e "${DONE}"
  echo -n "  --> create 2GB swap partition on ${1}"
  ${prg_gpart} add -s 2G -t freebsd-swap -i 2 ${1} >/dev/null 2>&1
  echo -e "${DONE}"
  echo -n "  --> create 1GB root partition on ${1}"
  ${prg_gpart} add -s 1G -t freebsd-ufs -l root -i 3 ${1} >/dev/null 2>&1
  echo -e "${DONE}"
  echo -n "  --> create 1GB tmp partition on ${1}"
  ${prg_gpart} add -s 1G -t freebsd-ufs -l tmp -i 4 ${1} >/dev/null 2>&1
  echo -e "${DONE}"
  echo -n "  --> create 2GB var partition on ${1}"
  ${prg_gpart} add -s 2G -t freebsd-ufs -l var -i 5 ${1} >/dev/null 2>&1
  echo -e "${DONE}"
  echo -n "  --> create usr partition on ${1}"
  ${prg_gpart} add -t freebsd-ufs -l usr -i 6 ${1} >/dev/null 2>&1
  echo -e "${DONE}"
  echo -n "  --> UFS format all partitions "
  for i in ${1}p3 ${1}p4 ${1}p5 ${1}p6; do
    if [ "${i}" = "${1}p3" ]; then
      newfs -O1 "/dev/${1}p3" >/dev/null 2>&1  
    else
      newfs -O2 -U "/dev/${i}" >/dev/null 2>&1  
    fi
  done
  echo -e "${DONE}"
  echo -n "  --> mount all partitions "
  if [ ! -d "${installdir}" ]; then
    mkdir "${installdir}"
  fi
  mount "/dev/${1}p3" "${installdir}" 
  mkdir "${destinationdir}"
  mkdir "${installdir}/tmp" "${installdir}/var" "${installdir}/usr"
  mount "/dev/${1}p4" "${installdir}/tmp" 
  mount "/dev/${1}p5" "${installdir}/var" 
  mount "/dev/${1}p6" "${installdir}/usr" 
  echo -e "${DONE}"
 
 
  ####
  ### Part2 Download and install Software
  ####


  if [ -z "${2}"]; then
    v="`uname -m`"
  else
    v="${2}"
  fi
  echo " --> install FreeBSD ${freebsdversion} ${v}"
  case "${v}" in
    i386)
      if [ -d "${sourcedir}/${freebsdversion}/${v}" ]; then
        echo  "  --> found local install files"
        for i in ${i386pkg}; do
          echo -n "  --> copy file ${i} to ${destinationdir}"
          cp "${sourcedir}/${freebsdversion}/${v}/${i}" "${destinationdir}"
          echo -e "${DONE}"
        done
      else
        echo "  --> download install files"
        for i in ${i386pkg}; do
          echo -n "   --> download file ${i} to ${destinationdir}"
          cd ${destinationdir}
          fetch "${freebsdurl}/${v}/${v}/${freebsdversion}-RELEASE/${i}" >/dev/null 2>&1
          echo -e "${DONE}"
        done
      fi
    ;;
    amd64)
      if [ -d "${sourcedir}/${freebsdversion}/${v}" ]; then
        echo "  --> found local install files"
        for i in ${amd64pkg}; do
          echo -n "  --> copy file ${i} to ${destinationdir}"
          cp "${sourcedir}/${freebsdversion}/${v}/${i}" "${destinationdir}"
          echo -e "${DONE}"
        done
      else
        echo "  --> download install files"
        for i in ${i386pkg}; do
          echo -n "   --> download file ${i} to ${destinationdir}"
          cd ${destinationdir}
          fetch "${freebsdurl}/${v}/${v}/${freebsdversion}-RELEASE/${i}" >/dev/null 2>&1
          echo -e "${DONE}"
        done
      fi
    ;;
  *)
    echo "${usage}"
    exit 0
  ;;
  esac
  cd "${installdir}" 
  for i in `ls -1 ${destinationdir}/*.txz`; do
    echo -n "   --> install file ${i} to ${installdir}"
    tar -xzpf "${i}"
    echo -e "${DONE}"
  done
  echo -n " --> create ${installdir}/etc/fstab"
  echo "/dev/${1}p2	none	swap	sw	0	0
/dev/${1}p3	/	ufs	rw	1	1
/dev/${1}p4	/tmp	ufs	rw	2	2
/dev/${1}p5	/var	ufs	rw	2	2
/dev/${1}p6	/usr	ufs	rw	2	2
" > "${installdir}/etc/fstab"
  echo -e "${DONE}"
  echo -n " --> create ${installdir}/etc/rc.conf"
  all_interfaces="`ifconfig | egrep "^[a-z][a-z]?[a-z]?[a-z][0-9]" | cut -f1 -d':'`"
  echo 'hostname="beastie.freebsd.local"' > "${installdir}/etc/rc.conf" 
  for i in ${all_interfaces}; do
    if [ "${i}" != "lo0" ] ; then
      echo "ifconfig_${i}=\"DHCP\"" >> "${installdir}/etc/rc.conf" 
    fi
  done
echo '
keymap="german.iso"
keyrate="fast"
font8x8="NO"
font8x14="NO"
font8x16="NO"
scrnmap="NO"
' >> "${installdir}/etc/rc.conf" 
  echo -e "${DONE}"
  echo -n " --> create ${installdir}/boot/loader.conf"
  echo 'loader_color="YES"
loader_logo="beastie"
' > "${installdir}/boot/loader.conf"
  echo -e "${DONE}"
  ;;
  *)
    echo "${usage}"
    exit 0
  ;;
esac

exit 0
```


----------



## fonz (Mar 27, 2012)

ryu said:
			
		

> I found an installer script for FreeBSD 9.0 and was wondering if it would be possible to implement the encryption part in this script?
> 
> I'm not asking for someone doing it, just wondering if it would be possible at all, for example with a preconfigured passphrase in the script.


Such a script won't be very flexible (e.g. in terms of partitioning layout), but at first glance I'm inclined to say that it should be possible. Also note that geli(8) can accept passwords stored in files (not to be confused with keyfiles), so the password entering should not be a problem in this case.

Fonz


----------



## jepace (Mar 27, 2012)

I'm having trouble trying to follow this recipe to create an encrypted root.  I'm using VirtualBox on Win 7, and booting the 9.0 Release DVD.  

During step 3, after I add ada0s1 and ada0s2, when I attempt 
[cmd=]gpart create -s bsd ada0s1[/cmd] 
I get 

```
gpart: geom 'ada0s1': File exists.
```

If I continue with the [cmd=]gpart add ...[/cmd] after this failure, I get 
	
	



```
gpart:size '0': Invalid argument
```

As far as I can tell I've typed exactly what is shown. Can someone please point me in the right direction?  Thanks!


----------



## bbzz (Mar 28, 2012)

You had ada0s1 from previous configuration. Try destroying both FreeBSD and MBR scheme with
`# gpart destroy -F ada0s1`
`# gpart destroy -F ada0s2`
`# gpart destroy -F ada0`


----------



## ryu (Jun 29, 2012)

I would like to use this guide again, but I need to know what I should change in it, so the system will work properly.

I found out that the problems I had were caused by this guide:

http://forums.freebsd.org/showthread.php?t=32738
http://forums.freebsd.org/showthread.php?t=32732
http://forums.freebsd.org/showthread.php?t=32727

I'm using the standard installation at the moment and don't have any of th*e*s*e* problems.


----------



## bbzz (Jun 29, 2012)

This guide works properly already. None of those issue you mentioned have anything to do with this guide.


----------



## ryu (Jun 29, 2012)

Don't get me wrong, I like your guide, I just have problems when I go this way. No problems when using bsdinstall though.



			
				DutchDaemon said:
			
		

> You should figure out what changed the permisions on /tmp, because the settings you had were really likely to break all kinds of stuff.





			
				kpa said:
			
		

> It looks like that the tutorial fails to mention that /tmp needs special permissions that have to be applied after the partition for /tmp is mounted, it's easy to forget that when you have a separate partition for /tmp, I've done that mistake myself couple of times.



http://forums.freebsd.org/showthread.php?t=32738

So what exactly do I need to change to avoid this problem? Or was it not caused by this guide?


----------



## kpa (Jun 29, 2012)

`# chmod 1777 /tmp` after mounting the separate partition for /tmp, needs to be done only once.


----------



## vibe (Sep 5, 2012)

*error 19*

I am getting an error (after reboot) with this quide using FreeBSD 9 as guest OS with KVM -> 
"mounting from ufs:/dev/label/eee.elia failed with error 19"

I did by the instructions and double checked for mistakes. Any ideas?


----------



## bbzz (Nov 6, 2012)

For those who have "mountfrom" error, check updated additional notes.


----------



## MasterOne (Dec 15, 2012)

While examining the procedure to perform an installation with full harddisk encryption, I stumbled over the interesting feature of geli to suspend and resume encrypted devices, which makes it ideal on a laptop/netbook when using suspend-to-RAM.

Unfortunately there seems to be catch with resume when using full harddisk encryption:





			
				geli manpage said:
			
		

> The caller must ensure that executing this subcommand won't try to access suspended device, which will lead to a deadlock.	For example suspending device, which contains file system where the geli utility is stored is bad idea.


Any idea if there is any way to overcome that issue?

Maybe full harddisc encryption is not the way to go after all? But what's the safest way to protect all your data AND use geli suspend/resume on a laptop/netboot then? I mean, which filesystems to put in separate partitions for encryption to have it all covered?

Another related issue:





			
				geli manpage said:
			
		

> The suspend subcommand does not work with devices created with the onetime subcommand.


So would it be a bad idea to use onetime encryption for the swap partition in matters of using suspend-to-RAM? Which approach for encrypting swap would be the most appropriate to use then?


----------



## bbzz (Dec 15, 2012)

MasterOne said:
			
		

> But what's the safest way to protect all your data AND use geli suspend/resume on a laptop/netboot then?


There isn't one. You either encrypt the whole disk; or you encrypt something like /home partition. Decide what's more important to you, full disk encryption or a suspend/resume. Suspend/resume doesn't even work in my case.



> Which approach for encrypting swap would be the most appropriate to use then?



The one in this guide. There is no onetime geli encryption for swap.


----------

