# HOWTO : full disk encryption, fast way



## Zare (Nov 5, 2010)

...using sysinstall, and no swap, but you can configure that later on your own. Target disk is ad0, and we'll use complete drive for FreeBSD install.

*Installation*

Boot FreeBSD install from your favourite medium. Allocate whole disk for FreeBSD slice. Inside that slice, allocate 400MB UFS partition with root mount point (/). Allocate the rest of the slice as /mnt mount point. Proceed with installation, install only base system and kernel, and don't configure anything except root password. Boot and login as root into your new install

*Preparation of GELI device*

Right now, the future-to-be root filesystem is unencrypted, empty UFS filesystem. It wasn't necessary to create the filesystem itself, but it's the fastest way so you don't need to label stuff manually outside first installation step. Unmount it;


```
#umount /mnt
```

For the sake of example, small root filesystem is ad0s1a, and empty future root is ad0s1d.
Create the GELI keyfile;


```
#dd if=/dev/random of=/boot/key bs=64 count=1
```

Now we initialize GELI encrypted partition with that key, using default encryption algorithm;


```
#geli init -b -s 4096 -K /boot/key /dev/ad0s1d
```

Type your passpharse twice.
Let's attach the partition to the system;


```
#geli attach -k /boot/key /dev/ad0s1d
```

Type your passpharse. GELI will create the /dev/ad0s1d.eli block device, which you can access now.
Let's create the filesystem.


```
#newfs /dev/ad0s1d.eli
```

So now, we have a UFS filesystem contained inside GELI encrypted partition. This partition will be our encrypted root. 

*Installation of root filesystem*

We'll just copy all relevant files from small root to new root partition. The small root will become the "boot" partition, containing only kernel, and GELI keyfile for root mounting. Let's first mount the new root somewhere;


```
#mount /dev/ad0s1d.eli /mnt
```

Now we copy the files, 


```
#cp -p * /mnt
#cp -Rvp .snap /mnt
#cp -Rvp bin /mnt
#cp -Rvp dev /mnt
.
.
.
```

Repeat the recursive directory copy for every subdirectory of root, except boot directory and the mnt directory. Since we'll mount this directory as root directory on next boot, we'll lose access to the original root filesystem which contains the kernel. We'll do a trick around that;


```
#cd /mnt
#mkdir mnt
#mkdir mnt/boot
#mount /dev/ad0s1a mnt/boot
```

Edit /mnt/etc/fstab to reflect new configuration; 


```
# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/ad0s1d.eli         /               ufs     rw              1       1
/dev/ad0s1a             /mnt/boot       ufs     rw              2       2
```

...and symlink the mounpoint to /boot, so we have the original entry.


```
#ln -s /mnt/boot/boot /mnt/boot
```

*Enable GELI root mounting*

What's left is to tell kernel that it needs to load GELI, and tell GELI about the encrypted partition and keyfile, so it can ask you for passpharse and create /dev access node, and again tell kernel to mount root from that block device. So we edit the /boot/loader.conf, to contain this;


```
geom_eli_load="YES"
geli_ad0s1d_keyfile0_load="YES"
geli_ad0s1d_keyfile0_type="ad0s1d:geli_keyfile0"
geli_ad0s1d_keyfile0_name="/boot/key"
vfs.root.mountfrom="ufs:ad0s1d.eli"
```

And it's done. Reboot, you'll be asked for a passpharse, and you'll land in encrypted root filesystem.
Afterwards, you can access the original small root partition at /mnt/boot, and wipe everything except the boot (/mnt/boot/boot) subdirectory.


----------



## gryzor (Jan 17, 2011)

*A couple of comments*

TY for this guide, works great overall.
I have a few fixes to add though, with 8.1 (on a AMD64 system, if this matters).
* an initial / of 400Mb was not sufficient for me. 500M was fine (this is probably because amd64 binaries are bigger than 32?)
* warning to non-US keyboard users : DO NOT set a passphrase with accents or special characters that the US keyboard cannot address. The keymap is loaded AFTER you have to enter your passphrase at boottime.
* The "/mnt/mnt/boot/boot" symlink seems to be wrong. "/mnt/boot/boot" was better for me


----------



## Zare (Mar 14, 2011)

Thx gryzor, fixed that symlink. Better late than never 
Btw, does your nickname have anything to do with old game named Contra?


----------



## Crivens (Mar 15, 2011)

You can compile a keymap into the kernel when you do not want the US map. Then it works great. But that adds another step in the process which would be to build a kernel. One can do that on another machine and set up the disk with f.e. an USB adapter.


----------



## grigorovl (Dec 18, 2011)

Great guide, I was able to get it working in 9.0-RC3 AMD64 with some tweaks. Here are some notes regarding things that didn't work out for me / I had to change:

* I couldn't get a bootable partition unless I added the 64KB type "freebsd-boot" in the new 9.0 installer. So I end up with 64KB boot, 1GB temp small root and REST to geli root.
* I had to use 1GB for small root, or it ran out of space during install (only base and kernel).
* This didn't work as the partition was in use, so I just skipped. After reboot /etc/fstab picked it up just fine.
	
	



```
#mount /dev/ad0s1a mnt/boot
```
* After reboot, I was unable to remove some directories from the small root. They had files inside which couldn't be removed, even in Single User Mode. Error is "Operation not permitted." I just left those folders and files be, after all, small root in only used for boot.


----------



## ryu (Mar 11, 2012)

grigorovl said:
			
		

> * I couldn't get a bootable partition unless I added the 64KB type "freebsd-boot" in the new 9.0 installer. So I end up with 64KB boot, 1GB temp small root and REST to geli root.
> * I had to use 1GB for small root, or it ran out of space during install (only base and kernel).
> * This didn't work as the partition was in use, so I just skipped. After reboot /etc/fstab picked it up just fine.
> 
> ...



I have the same problem. 
	
	



```
#mount /dev/ad0s1a mnt/boot
```

There is always this error:

```
Device is busy
```

I guess this tutorial doesn't work for FreeBSD 9.0-RELEASE.


----------



## bbzz (Mar 11, 2012)

There is better tutorial here which doesn't require whole root partition to be unencrypted.
http://forums.freebsd.org/showthread.php?t=29652


----------

