# Encryption support in installer?



## fonz (Nov 21, 2008)

Hi all,

Suppose you wish to have most (if not all) of your partitions encrypted, including the root partition. Can this be done during installation of FreeBSD or does it have to be set up afterward?

In the latter case, what would be the recommended procedure? According to the handbook, setting up disk encryption requires the creation of a new filesystem, thus destroying a partition's current contents, which I guess would lead to cumbersome backup-and-restore trickery.

Thanks in advance,

Fonz


----------



## oliverh (Nov 21, 2008)

Have a look, http://forums.freebsd.org/showthread.php?t=184


----------



## fonz (Nov 21, 2008)

oliverh said:
			
		

> Have a look, http://forums.freebsd.org/showthread.php?t=184



I think I'm getting some ideas now, thanks.

Fonz


----------



## graudeejs (Nov 21, 2008)

it's not supported by sysinstal...
However you can install FreeBSD, compile custom kenrel and then using dump and restore make most of your drives/slice/partitions encrypted.

If you want to encrypt everything, you need to create bootable usb pen drive (very easy):
use sysinstall to create bootable partition (in sysinstall press w to write to disk), quit sysinstall.
then create image of usb pen using dd.
mounting using dd

then read this
http://daemonforums.org/showthread.php?t=1538
fallow instructions to install system to pen image....
(you only need to install base and kernel)

rewrite kernel with your custom kernel (generic ain't got geli)


umount pen image and dd it to usb pen drive
reboot (make sure your PC supports boot from usb pen drive)

do your thing....
I think i will write guide for this.
it's pretty simple


----------



## fonz (Nov 21, 2008)

killasmurf86 said:
			
		

> it's not supported by sysinstal...



Then again, a link in another thread about this subject pointed to a paper by Marc Schiesser. Apparently, sysinstall can be circumvented altogether:

boot the live FS
load the GELI/GBDE kernel module
partition and format the disks
extract the dist sets you need (manually, that is)
perform additional configging
done

I think I'm going to try both approaches on a test box to see which one I like better.

In fact, if I have enough spare time on my hands I might even have a go at writing a new installer that's capable of handling encryption. Sounds like a blast 

Anyway, thanks for your input. I'll try it out for sure.

Fonz


----------



## graudeejs (Nov 21, 2008)

fonz said:
			
		

> Then again, a link in another thread about this subject pointed to a paper by Marc Schiesser. Apparently, sysinstall can be circumvented altogether:
> 
> boot the live FS
> load the GELI/GBDE kernel module
> ...



LiveFS cd use generic kernel. Generic kernel (at least on CD) doesn't support geli
I just tried, to make sure, using qemu


----------



## fonz (Nov 21, 2008)

killasmurf86 said:
			
		

> LiveFS cd use generic kernel. Generic kernel (at least on CD) doesn't support geli
> I just tried, to make sure, using qemu



Ah, that's something to look into. Perhaps things were different when that particular paper was being written.

Fonz


----------



## graudeejs (Nov 21, 2008)

fonz said:
			
		

> Ah, that's something to look into. Perhaps things were different when that particular paper was being written.
> 
> Fonz



you need to either build custom cd or usb pen drive, or another HDD


----------

