From owner-freebsd-geom@FreeBSD.ORG Sat Jul 22 07:25:12 2006 Return-Path: X-Original-To: freebsd-geom@freebsd.org Delivered-To: freebsd-geom@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAB8216A4E2 for ; Sat, 22 Jul 2006 07:25:12 +0000 (UTC) (envelope-from etc@fluffles.net) Received: from auriate.fluffles.net (a83-68-3-169.adsl.cistron.nl [83.68.3.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 366B743D49 for ; Sat, 22 Jul 2006 07:25:12 +0000 (GMT) (envelope-from etc@fluffles.net) Received: from destiny ([10.0.0.21]) by auriate.fluffles.net with esmtpa (Exim 4.62 (FreeBSD)) (envelope-from ) id 1G4BrK-00093I-K9 for freebsd-geom@freebsd.org; Sat, 22 Jul 2006 09:25:10 +0200 Message-ID: <44C1D34E.20004@fluffles.net> Date: Sat, 22 Jul 2006 09:27:10 +0200 From: Fluffles User-Agent: Thunderbird 1.5.0.4 (X11/20060703) MIME-Version: 1.0 To: freebsd-geom@freebsd.org Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Subject: GELI on root partition -- problems X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2006 07:25:12 -0000 Hello guys, I'm trying to use GELI encryption on my root partition. So the partitions look like: /boot = ad0s1a SWAP = ad0s1b / (root) = ad0s1d In this case the "a" partition holds /boot which is unencrypted and allows the kernel to be booted and GELI to ask for the passphrase for the "d" partition, whereas the "d" partition holds root (anything else than /boot) and is encrypted with GELI. Reading from the manpage of GELI: o Allows to encrypt the root partition - the user will be asked for the passphrase before the root file system is mounted. Though i cannot find anywhere on the internet nor on IRC how to accomplish this. Sysinstall gave me several mount/install errors when i tried to use /boot on the a-partition. And if i do it the other way around (a-partition is encrypted root and d-partition is /boot), then the boot loader can't find the kernel (because it looks on a-partition i guess). It seems many things in FreeBSD assume the "a" partition to be / (root), and that it holds the kernel. So really, *how* do i setup this GELI-on-root feature? I've got FreeBSD 6.1 ISO and FreeSBIE (livecd) and supported hardware at my disposal. If this doesn't work i can use an unencrypted root partition and only encrypt /usr but i would use that only as last resort. Anyone who can show me the right direction? Your feedback is appreciated! Thanks, Veronica