From owner-freebsd-questions@FreeBSD.ORG Fri May 13 05:16:52 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3331C106564A for ; Fri, 13 May 2011 05:16:52 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id E50A38FC19 for ; Fri, 13 May 2011 05:16:51 +0000 (UTC) Received: by gyg13 with SMTP id 13so976036gyg.13 for ; Thu, 12 May 2011 22:16:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=cTAO6zPxZvi0vFcXu9ov3M2iPt9ZLrpJoLRN5oqrNLA=; b=vcLwAaFkc0FxfI05umW5QgmAy8D311PMRnwX4yXMFb7KdVdaCWB/0DISe3+s/cGFDX 7d4g6msx7A1+6eeFKVo+FQVa/gBaUZhyUNmSm0g22dDw8zvu6cWNtBChTyW/ASdm44sa lNz+p063sRCODGBciXp5co8ECjUphhsZODWuU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=N0sMEBwV6/DwmktM3ihIfdbth4aB24deXuEgL4EyPVAQpq0PnX9XTthxWoHWo5SkDU DB1mQ/PZEBFSSYS/4VoMRz1yXgki9DVAfWC1soIT3nmW8yp2egsyUEWP+TCS9d2ftMTl vqHEqVSfW5CVdQu2LyqXxTtj7QN2u+MdVx194= MIME-Version: 1.0 Received: by 10.101.131.30 with SMTP id i30mr626387ann.161.1305261997482; Thu, 12 May 2011 21:46:37 -0700 (PDT) Received: by 10.101.48.6 with HTTP; Thu, 12 May 2011 21:46:37 -0700 (PDT) Date: Fri, 13 May 2011 00:46:37 -0400 Message-ID: From: Robert Simmons To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Installing FreeBSD on an encrypted volume X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2011 05:16:52 -0000 I have been trying to get FreeBSD installed on an encrypted volume and I've run into an annoying problem. Before I describe the problem, let me explain what I have done so far. first I used gpart to make GPT partitions: one freebsd-boot, two freebsd-ufs. The freebsd-boot is 64k and the following command installed the boot code: # gpart bootcode -b /mnt2/boot/pmbr -p /mnt2/boot/gptboot -i 1 ad0 The second freebsd-ufs is 200M for /boot and the third is for the GELI based encrypted swap and /. I used geli to encrypt ad0p3 and again used gpart to carve it into two BSD slices, one 512m for swap and the other the rest of the disk for /. After everything is newfs'd and ad0p1 and ad0p3.elib are mounted as /mnt/boot and /mnt/root respectively, I did "export DESTDIR=/mnt/root" and ran the install.sh scripts in /dest/8.2-RELEASE/base and /dest/8.2-RELEASE/kernels. The next thing I did was to modify the /mnt/root/boot/loader.conf file so that it loads the geom_eli module and edit the /mnt/root/boot/device.hints file so that the password on boot works correctly for the encrypted volume. And I moved /mnt/root/boot/GENERIC to /mnt/root/boot/kernel. Then I copied the contents of /mnt/root/boot to /mnt/boot. I created a directory /mnt/boot/etc and made a fstab and put one copy there and another copy in /mnt/root/etc This works great, however, I am left with /boot in two different places and /etc/fstab in two places as well. I would like to know if someone can come up wth a more elegant solution to this. At the moment I am mounting /dev/ad0p2 as /bootdir and whenever I update the system, once the update is done, I just do an archival copy of the contents of /boot into /bootdir/boot and if there is a change to fstab I make the change in both places. I understand that /boot cannot be encrypted (at the moment, until things change). But I would like to have /boot mounted directly from /dev/ad0p2 so there is only one copy of it. Any thoughts?