From owner-freebsd-questions@FreeBSD.ORG  Sat Nov 22 23:50:03 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 44EA8EF
 for <freebsd-questions@freebsd.org>; Sat, 22 Nov 2014 23:50:03 +0000 (UTC)
Received: from mail.openmailbox.org (mail.openmailbox.org [62.4.1.34])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 02A22369
 for <freebsd-questions@freebsd.org>; Sat, 22 Nov 2014 23:50:02 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by mail.openmailbox.org (Postfix) with ESMTP id CB9E02E05AF
 for <freebsd-questions@freebsd.org>; Sun, 23 Nov 2014 00:44:30 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=openmailbox.org;
 h=user-agent:message-id:subject:subject:from:from:date:date
 :content-transfer-encoding:content-type:content-type
 :mime-version:received:received; s=openmailbox; t=1416699869;
 bh=57II5dYDVhD5KyQD7id60auHgis0ltEIGuXacN267NE=; b=lDeskrYiFUle
 J/gbcbdKtyWLx8e9M2XU/vRO+j4RmBNiOnQQQkaHNVqHebyg92WfYn7Mr7pxanXb
 nDeDx43IwbbwdpcT723z1kw+9x+y6qL5dFKU1VdeZcyJxVhrgVeNJwzyN0ei0aZl
 81yh6H0KHfv423Jikz1yNyy8ZqFYd38=
X-Virus-Scanned: at openmailbox.org
Received: from mail.openmailbox.org ([62.4.1.34])
 by localhost (mail.openmailbox.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id QYRd_vvFxzdB for <freebsd-questions@freebsd.org>;
 Sun, 23 Nov 2014 00:44:29 +0100 (CET)
Received: from www.openmailbox.org (localhost [127.0.0.1])
 by mail.openmailbox.org (Postfix) with ESMTP id 469542E05A6
 for <freebsd-questions@freebsd.org>; Sun, 23 Nov 2014 00:44:29 +0100 (CET)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Sun, 23 Nov 2014 00:44:29 +0100
From: lnrt <lnrt80@openmailbox.org>
To: freebsd-questions@freebsd.org
Subject: Full disk encryption on FreeBSD =?UTF-8?Q?=31=30=2E=31-RELEASE=3F?=
Message-ID: <72aee80c9f26982088d6b2e018744c91@openmailbox.org>
X-Sender: lnrt80@openmailbox.org
User-Agent: Roundcube Webmail/1.0.2
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Nov 2014 23:50:03 -0000

While installing a FreeBSD 10.1-RELEASE system I want to use UFS and 
encrypt the entire disk. I select "Open a shell and partition by hand" 
and follow these steps:

====================
# gpart destroy -F ada0

# gpart create -s gpt ada0

# gpart add -t freebsd-boot -s 512k -a 4k ada0
# gpart add -t freebsd-ufs -l boot -s 1g -a 1m ada0
# gpart add -t freebsd-ufs -l encrypted -a 1m ada0

# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

# geli init -b -l 256 -s 4096 ada0p3
# geli attach ada0p3

# newfs -U /dev/ada0p2
# newfs -U /dev/ada0p3.eli

# mount /dev/ada0p3.eli /mnt
# mkdir /mnt/unencrypted
# mount /dev/ada0p2 /mnt/unencrypted
# mkdir /mnt/unencrypted/boot
# ln -s unencrypted/boot /mnt/boot

# vi /tmp/bsdinstall_etc/fstab

/dev/ada0p2     /unencrypted   ufs     rw,noatime   1   1
/dev/ada0p3.eli /              ufs     rw,noatime   2   2

# vi /tmp/bsdinstall_boot/loader.conf

geom_eli_load="YES"
vfs.root.mountfrom="ufs:ada0p3.eli"

# exit
====================

This work as expected, but I would like to avoid /boot being a symlink 
to /unencrypted/boot so I have tried this:

====================
# gpart destroy -F ada0

# gpart create -s gpt ada0

# gpart add -t freebsd-boot -s 512k -a 4k ada0
# gpart add -t freebsd-ufs -l boot -s 1g -a 1m ada0
# gpart add -t freebsd-ufs -l encrypted -a 1m ada0

# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

# geli init -b -l 256 -s 4096 ada0p3
# geli attach ada0p3

# newfs -U /dev/ada0p2
# newfs -U /dev/ada0p3.eli

# mount /dev/ada0p3.eli /mnt
# mkdir /mnt/boot
# mount /dev/ada0p2 /mnt/boot
# mkdir /mnt/boot/boot

# vi /tmp/bsdinstall_etc/fstab

/dev/ada0p2     /boot   ufs     rw,noatime   1   1
/dev/ada0p3.eli /       ufs     rw,noatime   2   2

# vi /tmp/bsdinstall_boot/loader.conf

geom_eli_load="YES"
vfs.root.mountfrom="ufs:ada0p3.eli"

# exit
====================

This result in the following error when booting the system:

config: not a directory.
loader: not a directory.
gptboot: No /boot/loader on 0:ad(0p2)
kernel: not a directory.
gptboot: No /boot/kernel/kernel on 0:ad(0p2)

FreeBSD/x86 boot
Default: 0:ad(0p2)/boot/kernel/kernel
boot:

Does anyone have a suggestion on why the second method won't work?