# geli full encrypted system



## erichiardone (Nov 1, 2009)

Here is a guide I made for myself to install a freebsd geli completely encrypted system. Tried with FreeBSD 7.0, 7.2, 8.0-RC1.
The USB pendrive reported here only contains keys, the /boot is on hard drive.

This howto require a computer (obviously), an usb pendrive (to store keys), and a freesbie licecd (needed for install).
At the end of this guide, you'll have a full-encrypted system with AES at 256 bit, swap with blowfish, key for root as passphrase and keys for other slices (/usr, /var...) splitted in keys in root and keys onto pendrive. So without pendrive you can't boot, either without passphrase; obviously you may change at your needs this configuration.

start computer with the cdrom; when you reach console, open it as root:
`#  su -`
and start sysinstall
`#  sysinstall`
In sysinstall choose "custom install".

Options -> modify "Media Type" to point to your nearest ftp server (if you 
are using dhcp, the network is already set up, if not in second console use ifconfig)
Also modify "Install Root" to "/mnt".

Partition -> allocate space for one bsd partition (retain the disk name, like 
'ad10'), quit and install boot manager

(note: my sata drive is called ad10 by the kernel (you will see it in the 
partitioning process) but the boot loader found it as disk1 (you read it at 
the booting process))

 Label -> create following slice scheme:

```
100MB / ad10s1a (ignore warning)
 400MB /boot ad10s1d
 1024MB swap ad10s1b
 5120MB /tmp ad10s1e
 5120MB /var ad10s1f
 remaining /usr ad10s1g
```

(the following step is necessary to fool sysinstall as he doesn't allow you 
to put in slice 'a' anything else than / )
Before continuing you have to change mount points names:
 / will be /boot, and /boot will be / 

The final scheme have to be like this:

```
100MB /boot ad10s1a
 400MB / ad10s1d
 1024MB swap ad10s1b
 5120MB /tmp ad10s1e
 5120MB /var ad10s1f
 remaining /usr ad10s1g
```
 
(note: set size of swap, /tmp, /var and /usr at your needs. You maybe want a
 separate /home. If you want one big / , set ad10s1d to be large for entire 
disk minus the swap space)

Finish editing slices if you are sure that /boot is on slice 'a'.

Distribution -> select smallest system possible:
- select Custom
- select base, kernels, man

And finally commit.
Once he have done, exit sysinstall and return to the console

Mount the newly created system in the live system:
`#  mount /dev/ad10s1d /mnt`

Place booting files in /mnt/mntboot/boot/ and create a link:

```
# cd /mnt/
# rmdir boot
# mkdir mntboot
# mount /dev/ad10s1a /mnt/mntboot
# cd mntboot
# mkdir tmp
# mv * tmp
# mv tmp boot
# cd /mnt/
# ln -s mntboot/boot boot
```

Make a backup of our minimal /tmp, /var and /usr:

```
# cd /mnt
# mount /dev/ad10s1e tmp
# mount /dev/ad10s1f var
# mount /dev/ad10s1g usr
# tar cf back.tar tmp var usr
# umount /mnt/tmp /mnt/var /mnt/usr
```

Plug in usb pendrive for storing key, it should appear as /dev/da0

```
# mkdir /mnt/etc/geli
# newfs_msdos -F32  /dev/da0
# mount_msdosfs /dev/da0 /mnt/mnt
```

Create key-files and initiate encrypted slices for /tmp, /var and /usr

```
# dd if=/dev/random of=/mnt/etc/geli/TAYGETA_tmp.key1 bs=64 count=1
# dd if=/dev/random of=/mnt/mnt/TAYGETA_tmp.key2 bs=64 count=1
# dd if=/dev/random of=/dev/ad10s1e bs=1m
# cat /mnt/etc/geli/TAYGETA_tmp.key1 /mnt/mnt/TAYGETA_tmp.key2 | \
   geli init -e AES -l 128 -s 4096 -P -K - /dev/ad10s1e
# cat /mnt/etc/geli/TAYGETA_tmp.key1 /mnt/mnt/TAYGETA_tmp.key2 | \
   geli attach -p -k - /dev/ad10s1e
# newfs -O2 -U /dev/ad10s1e.eli
# mount /dev/ad10s1e.eli /mnt/tmp

# dd if=/dev/random of=/mnt/etc/geli/TAYGETA_var.key1 bs=64 count=1
# dd if=/dev/random of=/mnt/mnt/TAYGETA_var.key2 bs=64 count=1
# dd if=/dev/random of=/dev/ad10s1f bs=1m
# cat /mnt/etc/geli/TAYGETA_var.key1 /mnt/mnt/TAYGETA_var.key2 | \
   geli init -e AES -l 128 -s 4096 -P -K - /dev/ad10s1f
# cat /mnt/etc/geli/TAYGETA_var.key1 /mnt/mnt/TAYGETA_var.key2 | \
   geli attach -p -k - /dev/ad10s1f
# newfs -O2 -U /dev/ad10s1f.eli
# mount /dev/ad10s1f.eli /mnt/var

# dd if=/dev/random of=/mnt/etc/geli/TAYGETA_usr.key1 bs=64 count=1
# dd if=/dev/random of=/mnt/mnt/TAYGETA_usr.key2 bs=64 count=1
# dd if=/dev/random of=/dev/ad10s1g bs=1m
# cat /mnt/etc/geli/TAYGETA_usr.key1 /mnt/mnt/TAYGETA_usr.key2 | \
   geli init -e AES -l 128 -s 4096 -P -K - /dev/ad10s1g
# cat /mnt/etc/geli/TAYGETA_usr.key1 /mnt/mnt/TAYGETA_usr.key2 | \
   geli attach -p -k - /dev/ad10s1g
# newfs -O2 -U /dev/ad10s1g.eli
# mount /dev/ad10s1g.eli /mnt/usr
```

Randomize swap slice:
`#  dd if=/dev/random of=/dev/ad10s1b bs=1m`

Edit file for correct booting process:

```
# ee /mnt/boot/loader.conf

currdev="disk1s1a" # current slice containing /boot
rootdev="disk1s1d" # slice containing / in a way that loader understand
vfs.root.mountfrom="ufs:ad10s1d.eli" # slice containing / in a way that 
kernel understand
geom_eli_load="YES"
```

Populate directories:

```
# cd /mnt
# tar xf back.tar
# rm back.tar 
# umount /mnt/tmp /mnt/var /mnt/usr /mnt/mnt /mnt/mntboot
```


Make a backup of the root

```
# cd /mnt
# mount /dev/ad10s1e.eli /mnt2
# tar cf /mnt2/back.tar *
```

And encrypt it. Don't forget the passphrase you will be asked for!

```
# cd /
# umount /mnt
# geli init -e AES -l 128 -s 4096 -b /dev/ad10s1d
# geli attach /dev/ad10s1d 
# newfs -O2 -U /dev/ad10s1d.eli
# mount /dev/ad10s1d.eli /mnt
# cd /mnt
# tar xf /mnt2/back.tar
# rm /mnt2/back.tar
# umount /mnt2
```

Finally edit important files to correctly load system:

```
# ee /mnt/etc/fstab
/dev/ad10s1a	/mntboot	ufs	ro	1	1
/dev/ad10s1b.eli	none	swap	sw	0	0
/dev/ad10s1d.eli	/	ufs	rw	1	1
/dev/acd0	/cdrom	cd9660	ro,noauto	0	0
/dev/ad10s1e.eli    /tmp   ufs rw  1   1
/dev/ad10s1f.eli    /var  ufs rw  1   1
/dev/ad10s1g.eli    /usr   ufs rw  1   1
```

Edit /mnt/etc/rc.conf

```
# ee /mnt/etc/rc.conf
[add the following line]
geli_swap_flags="-e Blowfish -l 256 -d"
```

Manually change /etc/rc.d/geli (change "da0" with your pendrive partition)

```
# ee /mnt/etc/rc.d/geli

[in "geli_start()" add before "for provider in ${devices}"]

       while(true); do
                /sbin/mount_msdosfs /dev/da0 /mnt > /dev/null
                if [ $? -eq 0 ]; then
                        break;
                fi
                echo "Pendrive missing!"
                sleep 3;
        done
        echo "Pendrive found, initializing slices."

        /bin/cat /etc/geli/TAYGETA_tmp.key1 /mnt/TAYGETA_tmp.key2 | \
                /sbin/geli attach -p -k - /dev/ad10s1e
        /bin/cat /etc/geli/TAYGETA_var.key1 /mnt/TAYGETA_var.key2 | \
                /sbin/geli attach -p -k - /dev/ad10s1f
        /bin/cat /etc/geli/TAYGETA_usr.key1 /mnt/TAYGETA_usr.key2 | \
                /sbin/geli attach -p -k - /dev/ad10s1g

        /sbin/umount /dev/da0 /mnt

[and comment out the rest of geli_start() function]
```


```
# umount /mnt
# exit
```


Reboot computer and remove freebsd cdrom.


----------



## graudeejs (Nov 1, 2009)

How about using code tags.....


----------



## DutchDaemon (Nov 1, 2009)

I appreciate the HowTo, but please do your own formatting next time ..


----------



## erichiardone (Nov 1, 2009)

Sorry all, thank you DutchDaemon.


----------



## honk (Nov 1, 2009)

This four year old tutorial on complete hard disk encryption with FreeBSD is still my favourite:
http://events.ccc.de/congress/2005/fahrplan/attachments/586-paper_Complete_Hard_Disk_Encryption.pdf

You also find videos and other stuff about this topic already in the net.


----------



## eticaret (Dec 25, 2009)

May i suggest another way to create encrypted root system?

Install a regular FreeBSD into ie; 8 GB usb ram and then create encrypted FreeBSD partitions under main disk using geli. Get dump of /usr /var /tmp / and restore them under geli partitions. Adjust fstab etc. and boot encrypted root using usb ram.


----------



## FBSDin20Steps (Dec 25, 2009)

@erichiardone

I think you did a great job!


----------

