Date: Fri, 13 May 2011 00:46:37 -0400 From: Robert Simmons <rsimmons0@gmail.com> To: freebsd-questions@freebsd.org Subject: Installing FreeBSD on an encrypted volume Message-ID: <BANLkTim9zq31DGNkt4uhiBKUyBojDQ3Kng@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I have been trying to get FreeBSD installed on an encrypted volume and I've run into an annoying problem. Before I describe the problem, let me explain what I have done so far. first I used gpart to make GPT partitions: one freebsd-boot, two freebsd-ufs. The freebsd-boot is 64k and the following command installed the boot code: # gpart bootcode -b /mnt2/boot/pmbr -p /mnt2/boot/gptboot -i 1 ad0 The second freebsd-ufs is 200M for /boot and the third is for the GELI based encrypted swap and /. I used geli to encrypt ad0p3 and again used gpart to carve it into two BSD slices, one 512m for swap and the other the rest of the disk for /. After everything is newfs'd and ad0p1 and ad0p3.elib are mounted as /mnt/boot and /mnt/root respectively, I did "export DESTDIR=/mnt/root" and ran the install.sh scripts in /dest/8.2-RELEASE/base and /dest/8.2-RELEASE/kernels. The next thing I did was to modify the /mnt/root/boot/loader.conf file so that it loads the geom_eli module and edit the /mnt/root/boot/device.hints file so that the password on boot works correctly for the encrypted volume. And I moved /mnt/root/boot/GENERIC to /mnt/root/boot/kernel. Then I copied the contents of /mnt/root/boot to /mnt/boot. I created a directory /mnt/boot/etc and made a fstab and put one copy there and another copy in /mnt/root/etc This works great, however, I am left with /boot in two different places and /etc/fstab in two places as well. I would like to know if someone can come up wth a more elegant solution to this. At the moment I am mounting /dev/ad0p2 as /bootdir and whenever I update the system, once the update is done, I just do an archival copy of the contents of /boot into /bootdir/boot and if there is a change to fstab I make the change in both places. I understand that /boot cannot be encrypted (at the moment, until things change). But I would like to have /boot mounted directly from /dev/ad0p2 so there is only one copy of it. Any thoughts?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTim9zq31DGNkt4uhiBKUyBojDQ3Kng>