# Help on installing with UFS+J, GELI, GPT, and boot from USB



## y2s82 (Jun 19, 2012)

I have a notebook with 3 GB RAM.  I've recently purchased a 128 GB SSD from Samsung to replace my damaged hdd and decided to give more thoughts into the installation of FreeBSD rather than using the default installation settings.  I wanted to use GELI to encrypt the entire hard drive and use usb key to boot.  I am concerned on the best usage practice for SSD, TRIM, and what to do with SWAP. I've been giving thoughts on whether to use ZFS or UFS+J, but with just 3 GB RAM and only a single drive, using ZFS seemed bit pointless.  Please correct me if I'm wrong, but self-healing wouldn't work with just single drive in the pool, and snapshots seem very useful but there seems to be other ways to go about to achieve functionally similar effect... I've read an article in this forum, which I can't seem to find right now, where one can set up two jails, one that apparently works as a main system while the other serving as a backup of sorts, and to upgrade, install all system stuff into the backup and simply switch the setting to boot from the other (backup) jail.  anyways, ZFS seemed less than useful and would potentially hog much of the RAM compared to UFS+J. 

Another thing I would like is labeling everything using GPT.  I hope this would make things easier should I ever have to add/rearrange disks within the system.

And should I worry about 4k-alignment?  and if so, how should I go about it?  I think it had to do something with newfs...

I've been reading up on howto instructions on this forum for many of varying installation methods.  I'm most uncertain about how GELI and GPT fits in together while booting from USB.  I think I'd be taking pieces from several different instructions to suit my needs and the following is what I ended up with.  I would appreciate if others could tell me what I'm doing wrong, or do something better, or point out flaws in my reasons to use UFS+J over ZFS, or anything else that would make my system set up better   Oh, and thank you for reading anyways  

Proposed Steps:

0. boot from usb live system and enter shell.  Have another usb key da1 and SSD in ada0

1-1. Create a partition encompassing the entire SSD


```
gpart destroy -F ada0
    gpart create -s GPT ada0
    gpart add -a128k -t freebsd-ufs -l local0 ada0
```

1-2. Using gpart, create two partitions, freebsd-boot and freebsd-ufs labeled "boot", in the USB key.  Install necessary bootcode into the freebsd-boot.


```
gpart destroy -F da1
    gpart create -s GPT da1
    gpart add -t freebsd-boot -l bootcode -s 512k da1
    gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da1
    gpart add -t freebsd-ufs -l note1-boot da1
    newfs /dev/gpt/note1-boot
```
 
2. Create a 256-bit key file using outputs from /dev/random to be used with GELI. This file should be placed in /boot folder in the usb.  make backup to /root just in case.  Add necessary lines to /mnt/usb/boot/loader.conf


```
mkdir /mnt/usb
    mount /dev/da1 /mnt/usb
    mkdir -p /mnt/usb/boot/keys
    dd if=/dev/random of=/mnt/usb/boot/keys/local0.key bs=256k count=1
    cp /mnt/usb/boot/keys/local0.key /root/local0.key

    cat << EOF >> /mnt/usb/boot/loader.conf
    #Delay boot to make sure USB key is detected before rushing into the boot process.
    kern.cam.boot_delay="6000"
    #Encryption
    geom_eli_load="YES"
    geli_local0_keyfile0_load="YES"
    geli_local0_keyfile0_type="gpt/local0:geli_keyfile0"
    geli_local0_keyfile0_name="/boot/keys/local0.key"
    vfs.root.mountfrom="ufs:/dev/gpt/note1-root0"
    EOF

    umount /mnt/usb
```

3. Encrypt the SSD using geli with the key file and a password.


```
geli init -b -s 4096 -l 256 -K /mnt/usb/boot/keys/local0.key /dev/gpt/local0
    geli attach -k /mnt/usb/boot/keys/local0.key /dev/gpt/local0
```

4. using gpart and newfs, create GPT partition on the /dev/gpt/local0.eli and add containers and format (with journal and TRIM) for /, swap, /var, /usr, /usr/home.  /tmp will either be a symlink from /var/tmp or will be created using tmpmfs setting in the /etc/rc.conf.  Which would be better for this setup?


```
gpart create -s GPT /dev/gpt/local0.eli
    gpart add -a128k -t freebsd-swap -l note1-swap0 -s 4G gpt/local0.eli
    gpart add -a128k -t freebsd-ufs -l note1-root0 -s 512M gpt/local0.eli
    gpart add -a128k -t freebsd-ufs -l note1-var0 -s 2G gpt/local0.eli
    gpart add -a128k -t freebsd-ufs -l note1-usr0 -s 10G gpt/local0.eli
    gpart add -a128k -t freebsd-ufs -l note1-home0 gpt/local0.eli
    newfs -t -U /dev/gpt/note1-root0
    newfs -t -U /dev/gpt/note1-var0
    newfs -t -U /dev/gpt/note1-usr0
    newfs -t -U /dev/gpt/note1-home0
```
By the way, what's the difference between -j and -J fags for newfs?

6. mount all file systems appropriately with root on /mnt/system.  Mount the /boot in /dev/gpt/boot (from the usb key) to /mnt/system/boot


```
mkdir /mnt/system
    mount /dev/gpt/note1-root0 /mnt/system
    mount /dev/gpt/note1-var0 /mnt/system/var
    mount /dev/gpt/note1-usr0 /mnt/system/usr
    mount /dev/gpt/note1-home0 /mnt/system/usr/home

    mount /dev/gpt/note1-boot    /mnt/usb
    mount /mnt/usb/boot /mnt/system/boot
```

7. Install FreeBSD


```
for I in base.txz kernel.txz; do
    tar --unlink -xvpJf ${I} -C /mnt/system
    done
```

8. Setup /mnt/etc/rc.conf, /mnt/etc/fstab, /mnt/etc/pf.conf


```
cat << EOF >> /mnt/etc/fstab
    /dev/gpt/note1-root0      /           ufs     rw      1   1
    /dev/gpt/note1-swap0      none        swap    sw      0   0
    /dev/gpt/note1-var0       /var        ufs     rw      2   2
    /dev/gpt/note1-usr0       /usr        ufs     rw      2   2
    /dev/gpt/note1-home0      /usr/home   ufs     rw      2   2

    cat << EOF >> /mnt/etc/rc.conf
    # Add lines for:
    # tmpmfs
    # Firewall - pf
    # ntpd
    # Power Saving Features
    # anything else needed in rc.conf
    EOF

    cat << EOF >> /mnt/etc/pf.conf
    #Insert your rules
    EOF
```

9. Reboot, add users, setup user environments, install ports, etc.


----------



## wblock@ (Jun 19, 2012)

y2s82 said:
			
		

> And should I worry about 4k-alignment?  and if so, how should I go about it?  I think it had to do something with newfs...



For an SSD, yes.  That is done when creating partitions.  gpart(8) has -a to make that easier.  128K alignment will not hurt, but may not matter if the partition starts on the first block anyway.



> 4. using gpart and newfs, create GPT partition on the /dev/gpt/local0.eli and add containers and format (with journal and TRIM) for /, swap, /var, /usr, /usr/home.  /tmp will either be a symlink from /var/tmp or will be created using tmpmfs setting in the /etc/rc.conf.  Which would be better for this setup?



/var/tmp is supposed to be nonvolatile.  Using tmpfs(5) for /tmp works well.



> ```
> gpart create -s GPT /dev/gpt/local0.eli
> gpart add -t freebsd-ufs -l root0 -s 2G /dev/gpt/local0.eli
> gpart add -t freebsd-swap -l swap0 -s 4G /dev/gpt/local0.eli
> ...



Using more meaningful labels helps to keep them unique.  Naming them for where they are or what they hold helps: e1505-rootfs for the root filesystem on a Dell E1505, for example.

About that -j: softupdates-journaling prevents the use of dump(8) at present.  Work is underway to fix that, but not finished.  In the meantime, skipping SUJ on an SSD is livable.  SSDs seek so fast that fsck(8) finishes quickly anyway.

-O 2 is the default, don't mess with it.



> By the way, what's the difference between -j and -J flags for newfs?



-J uses GEOM journaling, avoid that.


----------



## jrm@ (Jun 19, 2012)

wblock@ said:
			
		

> About that -j: softupdates-journaling prevents the use of dump(8) at present.  Work is underway to fix that, but not finished.  In the meantime, skipping SUJ on an SSD is livable.



You can always turn on soft-updates journaling later using tunefs().*



			
				wblock@ said:
			
		

> SSDs seek so fast that fsck(8) finishes quickly anyway.



It currently takes about 10 seconds on my 160GB Intel SSD.

* "It is not necessary to build a new filesystem to use soft-updates journalling. The addition or deletion of soft-updates journaling to existing FreeBSD fast filesystems is done using the tunefs program." 

http://www.bsdcan.org/2010/schedule/events/195.en.html.


----------



## y2s82 (Jun 20, 2012)

wblock@ said:
			
		

> For an SSD, yes.  That is done when creating partitions.  gpart(8) has -a to make that easier.  128K alignment will not hurt, but may not matter if the partition starts on the first block anyway.



Does that mean I can do `gpart -a 4K` to achieve it? *O*r do you mean I should use `gpart -a 128K`? *B*ut it may not matter as in the 4k alignment may not matter? I remember using a 128K value for the -s flag for the freebsd-boot.  Is it that it doesn't matter because the first block was already set with 128K?

And should I use that flag before encryption (local0), after encryption (note1-root0, note1-var0, note1-usr0, note1-home0), or both?

I'm sorry for dumping so many questions :s


----------



## wblock@ (Jun 20, 2012)

Now that I think about it again, that's not right.  There are 34 512-byte blocks used by the GPT table.  So yes, use -a4k or -a128k.  Then the partitions will start on even multiples of that value.  That helps performance because it matches the blocks used internally by the device.  If you start the first partition at 1M, it's aligned for both 4K and 128K blocks.  Make it an even multiple of 128K or 1M or 1G in size.  (Unless you're running 9-stable, -a will override -b.  But if you calculate the sizes yourself, -a isn't required.)


----------



## y2s82 (Jun 20, 2012)

Hmmm so should my code look something like this to address the 4k alignment?

```
gpart create -s GPT ada0
gpart add -a128k -t freebsd-ufs -l local0 ada0
#parts with geli
gpart create -s GPT gpt/local0.eli
gpart add -a128k -t freebsd-swap -l note-swap0 -s 4G gpt/local0.eli
gpart add -a128k -t freebsd-ufs -l note-root0 -s 512M gpt/local0.eli
gpart add -a128k -t freebsd-ufs -l note-var0 -s 2G gpt/local0.eli
gpart add -a128k -t freebsd-ufs -l note-usr0 -s 10G gpt/local0.eli
gpart add -a128k -t freebsd-ufs -l note-home0 gpt/local0.eli
```


----------



## wblock@ (Jun 20, 2012)

That looks okay.  The numbers on the partition labels look confusingly like device names to me.  They aren't needed (unless you plan to have more than one of each, I suppose).


----------



## y2s82 (Jun 20, 2012)

about the label numbering, I wasn't sure what would be in store for this drive.  I'm hoping to continue to use this drive even when my aged laptop is replaced with another system, hopefully a desktop.  I was hoping to simply drop in the drive, perhaps make modifications to kernel, and be able to boot and use it right away.  since such system would likely be a desktop, I figured it may have more drives and thought it may be useful to keep partitions numbered just in case.


----------



## y2s82 (Jun 21, 2012)

I was just writing down the above procedure as a reference, but one thing lead to another and instead ended up with a script.  Here it is for anyone interested.

Please do point out any flaws or possible improvements   thank you.


```
#!/bin/sh

#This is a script meant to install FreeBSD into a combination of 
#a disk, which acts as a main system disk, 
#and another storage device such is a usb key, which acts as a key needed to boot.
#It will make use of UFS, GELI, and GPT
#This script is meant to be executed from a FreeBSD livefs usb.  
#!!WARNING: THE SCRIPT IS INCOMPLETE AS IS!! It requires users customization.  
#In particular, there are three parts that need attention the most.
#First, make sure to take a look at Variables section and change them to suit your need if needs be.
#Second, you will need to modify the last section of the script to complete 
#/etc/rc.conf, /etc/fstab, /etc/pf.conf, /boot/loader.conf to suit your need.
#Last, if you are NOT running this from a live usb, modify the method of installation to suit your need.
#V1:Dated 2012-06-21

######Mount / rw ##### Comment the following line if you are NOT using live usb
mount -u -w /

######Variables#######
####Disks
DISK="ada0"
KEY="da1"
####Labels
llocalfs="note1-local0"
lrootfs="note1-root"
lswapfs="note1-swap"
lvarfs="note1-var"
lusrfs="note1-usr"
lhomefs="note1-home"
kbootcodefs="bootcode"
kbootfs="note1-boot"
####Size of each fs
srootfs="1G"
sswapfs="2G"
svarfs="2G"
susrfs="10G"
#shomefs is not set as it would take the rest of the storage capacity of the disk
stmpfs="1G"
####Mount Target and other directories
systeminstall="/mnt/system"
systemkey="/mnt/usb"
KEYS="/boot/keys"
####Key File
Keyfile=""$llocalfs".key"
####Various 
align="4k"
cmdnewfs="newfs -t -U"

#####Code#############
####Prepare and mount key
gpart destroy -F $KEY
gpart create -s GPT $KEY
gpart add -t freebsd-boot -l $kbootcodefs -s 512K $KEY
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 $KEY
gpart add -t freebsd-ufs -l $kbootfs $KEY
newfs -U /dev/gpt/$kbootfs
mkdir -p $systemkey
mount /dev/gpt/$kbootfs $systemkey
####Create boot folder and encryption key and make a backup of the key in /root
mkdir -p $systemkey$KEYS
dd if=/dev/random of=$systemkey$KEYS/$Keyfile bs=256k count=1
cp $systemkey$KEYS/$Keyfile /root/$Keyfile.bk
####Prepare and encrypt the system disk
gpart destroy -F $DISK
gpart create -s GPT $DISK
gpart add -a $align -t freebsd-ufs -l "$llocalfs" $DISK
geli init -b -s 4096 -l 256 -K $systemkey$KEYS/$Keyfile /dev/gpt/$llocalfs
geli attach -k $systemkey$KEYS/$Keyfile /dev/gpt/$llocalfs
gpart create -s GPT /dev/gpt/$llocalfs.eli
gpart add -a $align -t freebsd-swap -l $lswapfs -s $sswapfs /dev/gpt/$llocalfs.eli
gpart add -a $align -t freebsd-ufs -l $lrootfs -s $srootfs /dev/gpt/$llocalfs.eli
gpart add -a $align -t freebsd-ufs -l $lvarfs -s $svarfs /dev/gpt/$llocalfs.eli
gpart add -a $align -t freebsd-ufs -l $lusrfs -s $susrfs /dev/gpt/$llocalfs.eli
gpart add -a $align -t freebsd-ufs -l $lhomefs -s $shomefs /dev/gpt/$llocalfs.eli
$cmdnewfs /dev/gpt/$lrootfs
$cmdnewfs /dev/gpt/$lvarfs
$cmdnewfs /dev/gpt/$lusrfs
$cmdnewfs /dev/gpt/$lhomefs

####Create mount directory for installation and mount file systems accordingly
mkdir -p $systeminstall
mount /dev/gpt/$lrootfs $systeminstall
mkdir -p $systeminstall/var
mount /dev/gpt/$lvarfs $systeminstall/var
mkdir -p $systeminstall/usr
mount /dev/gpt/$lusrfs $systeminstall/usr
mkdir -p $systeminstall/usr/home
mount /dev/gpt/$lhomefs $systeminstall/usr/home
mkdir -p $systeminstall/boot
mount -t nullfs $systemkey/boot $systeminstall/boot

####Install FreeBSD
cd /usr/freebsd-dist/
for I in base.txz kernel.txz; do
    tar --unlink -xvpJf ${I} -C $systeminstall
done

####Prepare necessary environment to boot from the disk
##/etc/fstab
cat << EOF >> $systeminstall/etc/fstab
/dev/gpt/$lswapfs       none        swap    sw                  0   0
/dev/gpt/$lrootfs       /           ufs     rw,noatime          1   1
/dev/gpt/$lvarfs        /var        ufs     rw,noatime          2   2
/dev/gpt/$lusrfs        /usr        ufs     rw,noatime          2   2
/dev/gpt/$lhomefs       /usr/home   ufs     rw,noatime          2   2
/dev/gpt/$kbootfs       /boot       nullfs  rw,noatime,noauto   0   0
EOF

##/boot/loader.conf
cat << EOF >> $systeminstall/boot/loader.conf
#Delay boot to make sure USB key is detected before rushing into the boot process
kern.cam.boot_delay="6000"
#Encryption
geom_eli_load="YES"
geli_"$llocalfs"_keyfile0_load="YES"
geli_"$llocalfs"_keyfile0_type="gpt/"$llocalfs":geli_keyfile0"
geli_"$llocalfs"_keyfile0_name="$KEYS/$Keyfile"
vfs.root.mountfrom="ufs:/dev/gpt/$lrootfs"
#
####Power Saving Features
hint.p4tcc.0.disabled=1
hint.acpi_throttle.0.disabled=1
hint.apic.0.clock=0 	#disable APIC timers
kern.hz=100		#increase inactivity period for C3
hint.atrtc.0.clock=0	#disable RTC clock
EOF
##/etc/rc.conf
cat << EOF >> $systeminstall/etc/rc.conf
## tmp folder in swapfs
tmpmfs="YES"
tmpsize="$stmpfs"
tmpmfs_flags="-m 0 -o async,noatime -S -p 1777"
## Power Saving Features
powerd_enable="YES"		#Power Saving Features
powerd_flags="-a maximum -b adaptive -i 85 -r 60 -p 100"

## pf Firewall
pf_enable="YES"			# Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf"		# rules definition file for pf
pf_program="/sbin/pfctl"	# where the pfctl program lives
pf_flags=""			# additional flags for pfctl
pflog_enable="YES"		# Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog"	# where pflogd should store the logfile
pflog_program="/sbin/pflogd"	# where the pflogd program lives
pflog_flags=""			# additional flags for pflogd
ftpproxy_enable="YES"		# Set to YES to enable ftp-proxy(8) for pf
ftpproxy_flags=""		# additional flags for ftp-proxy(8)
gateway_enable="YES" # for jail
## NTP
ntpd_enable="YES"		# Run ntpd Network Time Protocol (or NO).
ntpd_program="/usr/sbin/ntpd"	# path to ntpd, if you want a different one.
ntpd_config="/etc/ntp.conf"	# ntpd(8) configuration file
ntpd_sync_on_start="YES"	# Sync time on ntpd startup, even if offset is high
ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift"
EOF
```


----------



## y2s82 (Jun 21, 2012)

Hmmm this method runs headlong into trouble quite early; it seems I can't do this:
`gpart create -s GPT /dev/gpt/note1-local0.eli`
It says the provider is not configured.
Is there any way to encrypt a gpt-labeled partition and assign more gpt partition to it afterwards, or am I forced to use the BSD labeling to this?  Or is that not possible either?

EDIT: found an article detailing how GPT cannot be nested or, at least not supposed to be, inside another scheme like MBR while the reverse is possible.  Hmmmm... maybe I should simply have all partitions be exposed or just create BSD labels from .eli.  Are there any better ideas or suggestions?


----------



## wblock@ (Jun 21, 2012)

Putting GPT inside other partition types is problematic.  You can still use GPT to partition a disk, but the partitions inside the eli device... well, it can be done, but at present it's not recommended.

When I set a notebook up for geli(8) a few months ago, I mostly followed bbzz's Howto.


----------



## y2s82 (Jun 23, 2012)

I was actually inspired to do this from that and some other post. I just wanted to do it in GPT though.

I got it done by simply putting all the partition in GPT without any internal sectioning within one particular GPT, each being encrypted separately.  Booting from a USB stick is surprisingly slow with all the modules being loaded, but I guess that's what I asked for.

Thanks for helping me out so far. It did wonders. 

I thought I might try to write down the final draft of my plan here.  I should have done this long time ago, but I hope it's better late than never   My memory is a bit fuzzy at the moment, but I'll try to write down all the steps...

```
#!/bin/sh

#This is a script meant to install FreeBSD into a combination of 
#a disk, which acts as a main system disk, 
#and another storage device such is a usb key, which acts as a key needed to boot.
#It will make use of UFS, GELI, and GPT
#This script is meant to be executed from a FreeBSD livefs usb.  
#!!WARNING: THE SCRIPT IS INCOMPLETE AS IS!! It requires users customization.  
#In particular, there are three parts that need attention the most.
#First, make sure to take a look at Variables section and change them to suit your need if needs be.
#Second, you will need to modify the last section of the script to complete 
#/etc/rc.conf, /etc/fstab, /etc/pf.conf, /boot/loader.conf to suit your need.
#Last, if you are NOT running this from a live usb, modify the method of installation to suit your need.
#V1:Dated 2012-06-21

######Mount / rw ##### Comment the following line if you are NOT using live usb
mount -u -w /

######Variables#######
####Disks
DISK="ada0"
KEY="da1"
####Labels
llocalfs="note1-local0"
lrootfs="note1-root"
lswapfs="note1-swap"
lvarfs="note1-var"
lusrfs="note1-usr"
lhomefs="note1-home"
kbootcodefs="bootcode"
kbootfs="note1-boot"
####Size of each fs
srootfs="1G"
sswapfs="2G"
svarfs="2G"
#susrfs is not set as it would take the rest of the storage capacity of the disk
stmpfs="500M"
####Mount Target and other directories
systeminstall="/mnt/system"
systemkey="/mnt/usb"
KEYS="/boot/keys"
####Key File
Keyfile=""$llocalfs".key"
####Various 
align="4k"
cmdnewfs="newfs -t -U"

#####Code#############
####Prepare and mount key
gpart destroy -F $KEY
gpart create -s GPT $KEY
gpart add -t freebsd-boot -l $kbootcodefs -s 512K $KEY
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 $KEY
gpart add -t freebsd-ufs -l $kbootfs $KEY
newfs -U /dev/gpt/$kbootfs
mkdir -p $systemkey
mount /dev/gpt/$kbootfs $systemkey
####Create boot folder and encryption key and make a backup of the key in /root
mkdir -p $systemkey$KEYS
dd if=/dev/random of=$systemkey$KEYS/$Keyfile bs=256k count=1
cp $systemkey$KEYS/$Keyfile /root/$Keyfile.bk
####Prepare and encrypt the system disk
gpart destroy -F $DISK
gpart create -s GPT $DISK
gpart add -a $align -t freebsd-swap -l $lswapfs -s $sswapfs $DISK
gpart add -a $align -t freebsd-ufs -l $lrootfs -s $srootfs $DISK
gpart add -a $align -t freebsd-ufs -l $lvarfs -s $svarfs $DISK
gpart add -a $align -t freebsd-ufs -l $lusrfs $DISK
geli init -b -s 4096 -l 256 -K $systemkey$KEYS/$Keyfile /dev/gpt/$lrootfs
geli attach -k $systemkey$KEYS/$Keyfile /dev/gpt/$lrootfs
geli init -b -s 4096 -l 256 -K $systemkey$KEYS/$Keyfile /dev/gpt/$lvarfs
geli attach -k $systemkey$KEYS/$Keyfile /dev/gpt/$lvarfs
geli init -b -s 4096 -l 256 -K $systemkey$KEYS/$Keyfile /dev/gpt/$lusrfs
geli attach -k $systemkey$KEYS/$Keyfile /dev/gpt/$lusrfs
$cmdnewfs /dev/gpt/"$lrootfs".eli
$cmdnewfs /dev/gpt/"$lvarfs".eli
$cmdnewfs /dev/gpt/"$lusrfs".eli

####Create mount directory for installation and mount file systems accordingly
mkdir -p $systeminstall
mount /dev/gpt/$lrootfs $systeminstall
mkdir -p $systeminstall/var
mount /dev/gpt/$lvarfs $systeminstall/var
mkdir -p $systeminstall/usr
mount /dev/gpt/$lusrfs $systeminstall/usr
mkdir -p $systeminstall/boot
mount -t nullfs $systemkey/boot $systeminstall/boot

####Install FreeBSD
cd /usr/freebsd-dist/
for I in base.txz kernel.txz; do
    tar --unlink -xvpJf ${I} -C $systeminstall
done

####Prepare necessary environment to boot from the disk
##/etc/fstab
cat << EOF >> $systeminstall/etc/fstab
/dev/gpt/$lswapfs       none        swap    sw                  0   0
/dev/gpt/$lrootfs       /           ufs     rw,noatime          1   1
/dev/gpt/$lvarfs        /var        ufs     rw,noatime          2   2
/dev/gpt/$lusrfs        /usr        ufs     rw,noatime          2   2
/dev/gpt/$kbootfs       /boot       nullfs  rw,noatime,noauto   0   0
EOF

##/boot/loader.conf
cat << EOF >> $systeminstall/boot/loader.conf
#Delay boot to make sure USB key is detected before rushing into the boot process
kern.cam.boot_delay="6000"
#Encryption
geom_eli_load="YES"
geli_"$lrootfs"_keyfile0_load="YES"
geli_"$lrootfs"_keyfile0_type="gpt/"$lrootfs":geli_keyfile0"
geli_"$lrootfs"_keyfile0_name="$KEYS/$Keyfile"
geli_"$lvarfs"_keyfile0_load="YES"
geli_"$lvarfs"_keyfile0_type="gpt/"$lvarfs":geli_keyfile0"
geli_"$lvarfs"_keyfile0_name="$KEYS/$Keyfile"
geli_"$lusrfs"_keyfile0_load="YES"
geli_"$lusrfs"_keyfile0_type="gpt/"$lusrfs":geli_keyfile0"
geli_"$lusrfs"_keyfile0_name="$KEYS/$Keyfile"
vfs.root.mountfrom="ufs:/dev/gpt/"$lrootfs".eli"
#
####Power Saving Features
hint.p4tcc.0.disabled=1
hint.acpi_throttle.0.disabled=1
hint.apic.0.clock=0 	#disable APIC timers
kern.hz=100		#increase inactivity period for C3
hint.atrtc.0.clock=0	#disable RTC clock
EOF
##/etc/rc.conf
cat << EOF >> $systeminstall/etc/rc.conf
## tmp folder in swapfs
tmpmfs="YES"
tmpsize="$stmpfs"
tmpmfs_flags="-m 0 -o async,noatime -S -p 1777"
## Power Saving Features
powerd_enable="YES"		#Power Saving Features
powerd_flags="-a maximum -b adaptive -i 85 -r 60 -p 100"

## pf Firewall
pf_enable="YES"			# Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf"		# rules definition file for pf
pf_program="/sbin/pfctl"	# where the pfctl program lives
pf_flags=""			# additional flags for pfctl
pflog_enable="YES"		# Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog"	# where pflogd should store the logfile
pflog_program="/sbin/pflogd"	# where the pflogd program lives
pflog_flags=""			# additional flags for pflogd
ftpproxy_enable="YES"		# Set to YES to enable ftp-proxy(8) for pf
ftpproxy_flags=""		# additional flags for ftp-proxy(8)
gateway_enable="YES" # for jail
## NTP
ntpd_enable="YES"		# Run ntpd Network Time Protocol (or NO).
ntpd_program="/usr/sbin/ntpd"	# path to ntpd, if you want a different one.
ntpd_config="/etc/ntp.conf"	# ntpd(8) configuration file
ntpd_sync_on_start="YES"	# Sync time on ntpd startup, even if offset is high
ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift"
EOF
```


----------

