# Disk Partition Strategy and Encryption



## spython01 (Jan 8, 2016)

I've been playing around with FreeBSD for a few weeks now in a virtual machine and have decided to take the plunge and properly install it on my laptop -- not because I'm confident in my abilities (I'm not!) but because I've been really impressed with the help the community here has provided.  I'm still a relative newbie to the work of *nix systems so I have a few questions:

1.  While FreeBSD will be my main OS, I'd like to reserve approximately 100GB or so for another OS.  This laptop (20GB memory, 512GB SSD) will be my main work/personal machine.  Are there any advantages for me to use a Traditional Split File System vs just having everything on the same partition?  I was intending to do the latter.

2.  If I do keep everything on the same partition, do I lose the ability to encrypt my drive?  I was thinking of using the "Root-on-ZFS" partitioning option but the Handbook says that this "partitioning mode only works with whole disks and will erase the contents of the entire disk."  Does this mean that I can't reserve some of my hard drive AND also have disk encryption enabled?  (I came across this tutorial but wasn't sure if it still applies to 10.2.)

I'm sure I'll have other questions (such as how to get my wifi up and running), but those will come later.

Thanks


----------



## chrbr (Jan 8, 2016)

Regarding usage of SSDs read http://www.wonkity.com/~wblock/docs/html/ssd.html. I have followed the guide and everything just worked as described.

About the partitioning it is a good idea to have the system and the home separated. This makes back up more easy. If you mess up the system the data is still fine. I have not used separate partitions for /root, /var and so on. There are for sure setups where this is makes sense.

When I have started with FreeeBSD I have had already GRUB as a boot manager. This has allowed me to have my original system and two installations of FreeBSD. The availablilty of two installations gave me some safe feeling. If I would have messed up something I would have had a backup system. I used that backup partition also to verify that my backups have been usable. As far as I remember I have never re-installed FreeBSD.

Now I have a SSD of 128GB with 50GB for my system and 12GB for my home partition. Just these days I have used a spare partition of 50GB for the ports system. This allows me simple separate back up of the system, the ports partition and the home data. For the beginning it is a good idea to have a partition for data exchange with your original system. It might not be able to write to UFS or ZFS. And it can hold some tar archive of the configurations in /etc/ and /usr/local/etc, just in case.

I am not sure about root on ZFS. I have one system with ECC RAM and a 2GHz CPU someone did not need anymore. Installation of root on ZFS worked without any issue. I have only installed two packages. Therefore I have no idea about possible problems. For ZFS ECC RAM is strongly recommended. It might be safe to dig deeper. I am not sure about the probability of issues if the system does not support ECC RAM . I am happy with UFS.

Regarding encryption see https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html. The geli framework works on partitions. If you can use ZFS please wait for answers from other users.


----------



## spython01 (Jan 8, 2016)

Thanks for the quick reply, chrbr, though I think my head is spinning even more now!



chrbr said:


> Regarding usage of SSDs read http://www.wonkity.com/~wblock/docs/html/ssd.html. I have followed the guide and everything just worked as described.


I did come across this web site in doing my research, but what wasn't clear to me is when to you execute these commands?  Do you drop into the shell when you get to this point in the installation?








> When I have started with FreeeBSD I have had already GRUB as a boot manager. This has allowed me to have my original system and two installations of FreeBSD. The availablilty of two installations gave me some safe feeling. If I would have messed up something I would have had a backup system. I used that backup partition also to verify that my backups have been usable. As far as I remember I have never re-installed FreeBSD.



The laptop that I'd like to install FreeBSD on currently has Windows 10.  Can I install just the GRUB boot loader over that and have it wipe out any existing partitions?  If so, will the FreeBSD installer recognize that?



> I am not sure about root on ZFS. I have one system with ECC RAM and a 2GHz CPU someone did not need anymore. Installation of root on ZFS worked without any issue. I have only installed two packages. Therefore I have no idea about possible problems. For ZFS ECC RAM is strongly recommended. It might be safe to dig deeper. I am not sure about the probability of issues if the system does not support ECC RAM . I am happy with UFS.



I personally don't know enough about the differences between ZFS and whatever the default file system is.  Everything I hear that Allan Jude fellow talk about ZFS on BSD Now just goes over my head!  I just referenced the Root on ZFS option as it looked to be an easy way to enable disk encryption.  However, when I tried it out installing it that way on a VirtualBox VM on my current Linux machine, I couldn't get the encryption to work -- the VM just kept rebooting itself after progressing through the startup routine after I pressed "1" to enter multi user mode.  I never got to the login prompt.  Maybe ZFS and VirtualBox just don't play nicely together.



> Regarding encryption see https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html. The geli framework works on partitions. If you can use ZFS please wait for answers from other users.



I'll take a closer look at this -- maybe try following the instructions there in another VM to make sure I understand it before doing it for real.  Thanks again!


----------



## chrbr (Jan 8, 2016)

spython01 said:


> I did come across this web site in doing my research, but what wasn't clear to me is when to you execute these commands? Do you drop into the shell when you get to this point in the installation?


This point is quite a time ago. The option "S" should open a shell. Then it should be possible to run the commands described in the guide.


spython01 said:


> The laptop that I'd like to install FreeBSD on currently has Windows 10. Can I install just the GRUB boot loader over that and have it wipe out any existing partitions? If so, will the FreeBSD installer recognize that?


I have no idea about Windows 10 and the options how to run multi-boot from that. I migrated from Linux at the time when GRUB2 was the default boot manager. At this time I have used the GRUB2 installation on Linux to boot FreeBSD. Today there is are

```
$ psearch grub2
sysutils/grub2  Multiboot boot loader
sysutils/grub2-bhyve  Grub-emu loader for bhyve
sysutils/grub2-efi  Multiboot EFI boot loader
sysutils/grub2-pcbsd  Multiboot boot loader
```
which run on FreeBSD but GRUB2 is quite a monster. And then you should be sure that FreeBSD will already work fine. There are some other boot managers disussed in the forum. I suggest you to dig there.

Before modifing the SSD on your current laptop, is there an option to use a desktop PC or an outdated laptop for the first tests? I would not worry about the stability of FreeBSD. I think the difficulties are related to multi-boot and the partitioning. In worst case your Windows 10 installation would be broken. Before any modification on the current laptops installation it would be good to be 100% sure that recovery works. If something goes seriously wrong you might need at least one working system to search for work arounds or so.

In my opinion nothing beats a PC where you can activate different hard disks or simply insert different hard drives.

Please be not decouraged by my post! There are just many things to consider.


----------



## spython01 (Jan 8, 2016)

My intent is to blow away Windows 10.  Up until a few weeks ago, I was just going to install Ubuntu on it and call it a day but I've become enamoured with FreeBSD over the past few weeks to give it a go.  Therefore, I'm not concerned if anything happens with Windows.  Worse case, I throw Ubuntu on it and am no worse off than I am now.

Since I last posted, I am trying out the steps outlined here but have run into an issue.  I ran these commands at the shell:

```
# gpart create -s gpt ada0
# gpart add -t freebsd-boot -s 512k -a4k -l ssdboot ada0
# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i1 ada0
# gpart add -t freebsd-ufs -l ssdrootfs -b 1m -s 2g ada0
# gpart add -t freebsd-ufs -l ssdvarfs -a 1m -s 2g ada0
# gpart add -t freebsd-ufs -l ssdusrfs -a 1m -s 100g ada0
# newfs -U -t /dev/gpt/ssdrootfs
# newfs -U -t /dev/gpt/ssdvarfs
# newfs -U -t /dev/gpt/ssdusrfs
```
How do I update /etc/fstab?  I tried both `sudo vi /etc/fstab` as well as:

```
# su
# root@test:/ # vi /etc/fstab
```
but the file is read only.  If I can get this to work, I'll try encrypting the /usr partition based on your earlier responses and then look into GRUB.

Thanks


----------



## wblock@ (Jan 8, 2016)

It will not help to edit the /etc/fstab on the installer disk, which is what that is attempting to do.  After you create all the partitions and filesystems, they must be mounted at the place the installer expects them.  See bsdinstall(8).


----------



## chrbr (Jan 8, 2016)

Your method to update /etc/fstab should be fine. What about permissions? Please see the result of my system.

```
# ls -l /etc/fstab
-rw-r--r--  1 root  wheel  309  8 Jan 08:09 /etc/fstab
```
Check also after typing `su` who you are by `whoami`. Do this also for `sudo -i`. The result should be root. I have no idea if this can go wrong, but I am not sure. Check also if the root file system is mounted with write permissions. I have mounted one partition read only for reference.

```
# mount
/dev/gpt/ssd_root on / (ufs, local, noatime, soft-updates)
devfs on /dev (devfs, local, multilabel)
/dev/gpt/ssd_data on /usr/home (ufs, local, noatime, soft-updates)
/dev/gpt/ssd_ports on /usr/local/poudriere (ufs, local, noatime, soft-updates)
tmpfs on /tmp (tmpfs, local)
/dev/gpt/gpt_root on /mnt (ufs, local, read-only)
```
EDIT: Of course wblock@ has pointed out a more likely issue. Please check this first.

If you want to delete Windows 10 there is should be no urgent need for GRUB. This makes things much easier. A fall back solution could be to use PCBSD and its GRUB. If you foresee an additional section for FreeBSD you can start with PCBSD and then migrate to FreeBSD. I have never tested PCBSD, but if its GRUB is similar to the Linux GRUB (what it should be in terms of features) it should work.


----------



## spython01 (Jan 9, 2016)

wblock@ said:


> It will not help to edit the /etc/fstab on the installer disk, which is what that is attempting to do.  After you create all the partitions and filesystems, they must be mounted at the place the installer expects them.  See bsdinstall(8).


Hi wblock@ .  Thanks for chiming in.  I guess I'm confused a bit as to when and where I should follow your instructions.  I ran the `gpart` and `newfs` commands while I was in the middle of the installation by entering the shell when I got to the point in the installation highlighted by the screenshot in this post.  Admittedly, I did not run any of the commands listed in the "Restoring Data" section of your instructions and went directly to trying to configure the fstab file.  Because I couldn't edit it, I typed `exit` to see if I could resume the installation but then it failed and aborted.

Was I supposed to mount the file systems and partitions after the installer finished?

On a more basic level, what would happen if I just did a plain vanilla installation on to an SSD drive without following any of those directions?  Would the OS still work?

Thanks!


----------



## wblock@ (Jan 9, 2016)

From bsdinstall(8):

```
BSDINSTALL_CHROOT      The directory    into which the distribution files
              should be unpacked and the directory at which    the
              root file system of the new system should be
              mounted.  Default: /mnt
```

So yes, that must be mounted.  If mounted at /mnt, the variable does not need to be set.  Since you have chosen to use split filesystems, they all must be mounted:

```
# mount /dev/gpt/ssdrootfs /mnt
# mount /dev/gpt/ssdvarfs /mnt/var
# mount /dev/gpt/ssdusrfs /mnt/usr
```
Then, in theory, bsdinstall(8) should continue and use those partitions and filesystems.  It should also write the fstab to that filesystem.



spython01 said:


> On a more basic level, what would happen if I just did a plain vanilla installation on to an SSD drive without following any of those directions? Would the OS still work?


Sure.  The question is whether it would be aligned correctly.  There has been some work done on bsdinstall(8), but I confess that I almost never use it and do not know the current state of it.


----------



## atomicbeef (Jan 9, 2016)

Hey spython01,

Just a few days ago I set up full disk encryption on my laptop. I followed this BSD Now tutorial and Thread HOWTO: Quick GELI encryption guide.29652. I had issues with UEFI on my laptop (Thinkpad X1 Carbon) so I had to use MBR and I recommend that you do the same, unless you absolutely have to use GPT.

If you want to dual boot another OS, I have found that FreeBSD's `boot0` has worked perfectly to dual boot Windows 10 and FreeBSD on my desktop.


----------



## spython01 (Jan 10, 2016)

Hi Everyone -- I'm back with a quick update.  I'm trying to reconcile the directions to install FreeBSD 10.2 from here, here and here.  For now, I'm just attempting to do the installation on a VirtualBox VM to see how far I get using UFS and GPT.  I follow the normal installation prompts until I get to this screen at which I select <Shell> and then enter the commands below.  I'll restart the machine and then select the first option (Boot Multi User).  A bunch of messages fly by ending with:


```
Loader variables:

Manual root filesystem specification:
  <fstype>:<device> [options]
      Mount <device> using filesystem <fstype>
      and with the specified (optional) option list.

   eg. ufs:/dev/da0s1a
        zfs:tank
        cd9660:/dev/acd0 ro
<snip>.....</snip>
```

At the `mountroot>` prompt, I type `ufs:/dev/ada0p3.eli` after which I get:

```
Trying to mount root from ufs:/dev/ada0p3.eli []...
mountroot: waiting for device /dev/ada0p3.eli ...
Mounting from ufs:/dev/ada0p3.eli failed with error 19.
```
I looked up the error 19 code on various fora but the common symptoms and solutions require booting from a CD rather than a USB device (which is rather worrisome as I intend to install FreeBSD on a laptop that does not have an optical drive).

Any ideas on what I should try?  Should I just give it a go on the real laptop and see what happens?

Here are the details of what I did:


```
# sysctl kern.disks
kern.disks: cd0 ada0
```

Write the partition table:

```
# gpart create -s gpt ada0
ada0 created
```

Create the boot record partition:

```
# gpart add -t freebsd-boot -s 512k -a 4k ada0
ada0p1 added
```

Create unencrypted /boot partition (from which kernel is loaded):

```
# gpart add -t freebsd-ufs -l bootfs -s 1g -a 1m ada0
ada0p2 added
```

Using remaining space to create large encrypted partition for the rest of the OS and files:

```
# gpart add -t freebsd-ufs -l encrypted -a 1m ada0
ada0p3 added
```

Install the bootcode:

```
#gpart bootcode -b /boot/pmbr -p /boot/gptboot -i1 ada0
bootcode written to ada0
```

Init geli

```
# geli init -b -s4096 -l256 ada0p3
Enter new passphrase:
Reenter new passphrase:

Metadat backup can be found in /var/backups/ada0p3.eli and can be restored with the following command:
   # geli restore /var/backups/ada0p3.eli ada0p3
```

Attach geli

```
# geli attach ada0p3
Enter passphrase:
GEOM_ELI: Device ada0p3.eli created.
GEOM_ELI: Encryption: AES-XTS 256
GEOM_ELI:  Crypto: software
```

Format the partitions:

```
# newfs -U /dev/ada0p1
/dev/ada0p1: 0.5MB.....
# newfs -U /dev/ada0p2
/dev/ada0p2: 1024.0MB......
# newfs -U /dev/ada0p3.eli
/dev/ada0p3.eli: 7166.0MB....
```

Mount the new partitions and do a workaround for the unencrypted boot:

```
# mount /dev/ada0p3.eli /mnt
# mkdir /mnt/unenc
# mount /dev/ada0p2 /mnt/unenc
# mkdir /mnt/unenc/boot
# ln -s unenc/boot /mnt/boot
```

Create the corresponding fstab

```
# vi /tmp/bsdinstall_etc/fstab
/dev/ada0p2 /unenc ufs rw,noatime 1 1
/dev/ada0p3.eli / ufs rw,noatime 2 2
```

Automatically load the kernel modules required for booting from an encrypted volume


```
# vi /mnt/unenc/boot/loader.conf
geom_eli_load="YES"
vfs.root.mountfrom="ufs:/dev/ada0p3.eli"
```

Resume the rest of the installation

```
exit
```


----------



## atomicbeef (Jan 10, 2016)

One problem I noticed with how you created loader.conf is that you created /mnt/unenc/boot/loader.conf instead of /tmp/bsdinstall_boot/loader.conf. In FreeBSD versions less than 10.0, directly editing loader.conf would work, however in newer versions of FreeBSD, directly editing loader.conf would have no effect since the file would be overwritten, causing your installation to fail to boot.

Another thing that you should do is enable TRIM on the filesystems by adding the `-t` flag to newfs(8).


----------



## spython01 (Jan 24, 2016)

Hi Everyone!  Sorry for the protracted delay in getting back to this thread.  I finally got my act together and was able to install the base 10.2-Release version on my Thinkpad T450s.  Ultimately, I got lazy and just went with the ZFS-on-Root option, using the Geli whole disk encryption.  I was able to log in but now the only issue is sorting out the wireless.  Unfortunately, FreeBSD does not appear to recognize my Intel Wireless 7265 card (which, after some searching, may require the iwm(4) driver) but I think I'll open another thread to address that.

I do want to especially thank chrbr, wblock@, atomicbeef, and bbzz for their help and tutorials in getting me this far!

Edited to add:  If all else fails, I may just resort to installing PCBSD as a Plan B but would like to try the more "native" approach first if possible.


----------

