# Very odd Installation question



## KingDotNet (Jun 13, 2022)

Wow, so this is what it's like to cross over, so retro, anyway I'd like to know the limitations for ZFS if someone wouldn't mind, catch is I'm from Arch, but nobody seems to have an f'n clue on how to properly use ZFS, if I close my eyes I'd think they were explaining BTRFS, so I figured I'd come ask where ZedFS all started, so my main question about limitations, is there a way to Full Disk Encrypt an entire disk, and have every single data pool under that umbrella? Rather than simply picking and choosing what gets encrypted? Someone over there said something about ESP being the big issue with compatibility or something, which in my case wouldn't be an issue as my setup is true FDE, no EFI/ESP/Boot Partition on the disk, it's on a removable flash drive. Anyone willing to help? Also I'm not asking about another OS, I'm asking about a FreeBSD program, don't need no technical advice just how a FreeBSD user would best implement it.


----------



## jbo (Jun 13, 2022)

Hello & Welcome to this FreeBSD community!

For full-disk-encryption, you'd typically be using geli(8).

On the topic of encrypted ZFS dataset vs GELI, you might also find this thread to be helpful: https://forums.freebsd.org/threads/geli-vs-zfs-encrypted-dataset.84721


----------



## zirias@ (Jun 13, 2022)

If by "Full Disk Encrypt an entire disk", you indeed mean that whole disk, so it doesn't even have a partition table; yes, that's possible, geom(4) provides the necessary flexibility (and for encryption, you'll use geli(8) as already stated by jbodenmann). The installer won't offer this, only encrypted partitions, so you'll have to do it manually. I guess booting from that with an ESP on removable media will work, but I never tried. The "normal" way to do FDE is to have an encrypted partition and an unencrypted ESP for booting on the system disk. All of this isn't related to ZFS. ZFS encryption only offers encryption of individual datasets.

Apart from that, I'm having a hard time to spot an actual question here. Just a remark: btrfs is a (IMHO weak) attempt to create something "similar to ZFS".


----------



## mer (Jun 13, 2022)

KingDotNet said:


> which in my case wouldn't be an issue as my setup is true FDE, no EFI/ESP/Boot Partition on the disk, it's on a removable flash drive.


Do you want your boot device FDE or do you want an external "data device" FDE?

The basic question I think you are asking  is "Can I do FDE with ZFS" and an answer is "yes, but with other disk tools, GELI is probably the most suitable".


----------



## KingDotNet (Jun 13, 2022)

Zirias said:


> If by "Full Disk Encrypt an entire disk", you indeed mean that whole disk, so it doesn't even have a partition table; yes, that's possible, geom(4) provides the necessary flexibility (and for encryption, you'll use geli(8) as already stated by jbodenmann). The installer won't offer this, only encrypted partitions, so you'll have to do it manually. I guess booting from that with an ESP on removable media will work, but I never tried. The "normal" way to do FDE is to have an encrypted partition and an unencrypted ESP for booting on the system disk. All of this isn't related to ZFS. ZFS encryption only offers encryption of individual datasets.
> 
> Apart from that, I'm having a hard time to spot an actual question here. Just a remark: btrfs is a (IMHO weak) attempt to create something "similar to ZFS".


Your right it isn't related to ZFS, it's my btrfs setup, and I understand, however in my rambling I now release I didn't go into to many specifics so there's a better understanding, my fault, what I mean by FDE is as follows, gdisk numbers 8308 & 8309 are "Dm-Crypt Partition" & "Luks Partition" respectively, from there I do cryptsetup use a completely Non-standard setup, using luks2, argon2id for the pbkdf, whirlpool hash, sha3 resilience hash, with a serpent-xts-plain64be cipher, and you encrypt the Luks or dm partition, you don't even mkfs yet, afterwords, open the encrypion with a mkfs.btrfs or mkfs.xfs not an lvm, from there with BTRFS you make subvolumes with the /dev/mapper/x at mount, then unmount it and mount the subvols directly subvol root goes to /mnt and so on, XFS has something similar, I understand it's different, but I'm using what I do know to explain the setup, as its more a container than a fs, the fs gets made 2nd, and placed inside luks2, and then closes, the point is make the filesystem invisible when not in use, and with the detached boot, your computer can't even see there's something on the drive without the USB Inserted. Could zfs go in, in a similar fashion? The efi boot, as well as Initramfs are on the USB, unencrypted, and instead of mkinit or whatever is BSD standard, I use Red Hats Dracut, as it is the only program that can detect all volumes and partitions, Including the passwords to login to a system, with literal no involvement from the user other than typing "Dracut --regenerate-all" to make the initram


----------



## decuser (Jun 13, 2022)

KingDotNet said:


> Wow, so this is what it's like to cross over, so retro.


Completely amused - retro? hardly. Unless by retro, you mean stable. It is true that ZFS has been running in FreeBSD for more than a decade, but it is far more capable and much simpler to manage than it's nearest competitor, which BTRFS certainly is not. I had exactly the same thought the other day when I ran Arch - how retro, BTRFS indeed, no thanks - it's eaten my data more than once over the years .


----------



## freezr (Jun 13, 2022)

What is the actual OP question though?


----------



## hardworkingnewbie (Jun 13, 2022)

KingDotNet said:


> Your right it isn't related to ZFS, it's my btrfs setup, and I understand, however in my rambling I now release I didn't go into to many specifics so there's a better understanding, my fault, what I mean by FDE is as follows, gdisk numbers 8308 & 8309 are "Dm-Crypt Partition" & "Luks Partition" respectively, from there I do cryptsetup use a completely Non-standard setup, using luks2, argon2id for the pbkdf, whirlpool hash, sha3 resilience hash, with a serpent-xts-plain64be cipher, and you encrypt the Luks or dm partition, you don't even mkfs yet, afterwords, open the encrypion with a mkfs.btrfs or mkfs.xfs not an lvm, from there with BTRFS you make subvolumes with the /dev/mapper/x at mount, then unmount it and mount the subvols directly subvol root goes to /mnt and so on, XFS has something similar, I understand it's different, but I'm using what I do know to explain the setup, as its more a container than a fs, the fs gets made 2nd, and placed inside luks2, and then closes, the point is make the filesystem invisible when not in use, and with the detached boot, your computer can't even see there's something on the drive without the USB Inserted. Could zfs go in, in a similar fashion? The efi boot, as well as Initramfs are on the USB, unencrypted, and instead of mkinit or whatever is BSD standard, I use Red Hats Dracut, as it is the only program that can detect all volumes and partitions, Including the passwords to login to a system, with literal no involvement from the user other than typing "Dracut --regenerate-all" to make the initram


Dude, do yourself and all of us a favor, namely:

1. write *short *sentences
2. use paragraphs

Thanks. Your whole posting looks like a ghastly mess of puked out words, and is really hard to grasp.


----------



## zirias@ (Jun 14, 2022)

KingDotNet you _are_ aware that FreeBSD is _not_ Linux (and not "related" either)? In your second post, I see tons of Linux-specific things that don't really help to understand what exactly you're trying to achieve 

Just to get you started, geom(4) is _somewhat_ similar to Linux' "device mapper", but even more generic (e.g. also used for mapping partitions according to a partition table on disk). For encrypted mappings, you use geli(8), so this replaces "dm-crypt". It also handles storage and hashing of passphrases and keys etc, therefore does things similar to "luks". Now best forget all this Linux stuff and read about geom and geli (e.g. the manpages) and then just explain what you want to achieve without mixing in around 20 Linux buzzwords .

What FreeBSD installer offers you by default is a simple partitioning scheme with an ESP and a legacy boot partition, both holding FreeBSD's bootloader (loader(8))* which can boot from a root fs inside a geli encrypted partiton. If you choose ZFS, the pool will use this encrypted partition. This simple FDE setup (everything is encrypted except for completely generic boot code) is well suited for 99% of the users.

*) edit: not fully correct, loader(8) is the final stage of the bootloader. It operates directly as an EFI bootloader, but for "legacy" boot, some earlier stage (e.g. with ZFS on a GPT partitioned disk the one from /boot/gptzfsboot) is used. These can also decrypt GELI and chainload the actual loader(8) from /boot inside the root fs.


----------



## Erichans (Jun 14, 2022)

Besides the man pages, you'll find more at the FreeBSD documentation, specifically in the FreeBSD Handbook, chapters 18 & 19. (slides of) this GEOM tutorial by Poul-Henning Kamp - BSDCon 2003, may also be helpful.


----------

