Geli
From FBSD_tips
WARNING: THESE METHODS ARE DESTRUCTIVE. BACKUP ALL DATA BEFORE YOU START, OR IT WILL BE LOST
ARTICLE STILL BEING WRITTEN. PRE-DRAFT.
Please see Helio/man-install before continuing.
Contents |
[edit] Encrypting the disk
First, we'll get some random key data from urandom.
dd if=/dev/urandom of=/keyfile bs=16k count=4
Now, we'll create a working MBR on the hard drive. This is for compatibility reasons, as some OS's will blindly try to 'correct' disks with strange first sectors.
fdisk -IB /dev/ad0
Before we can initialize the slice, we'll first need to prepare our environment for geli.
kldload /dist/boot/kernel/zlib.ko kldload /dist/boot/kernel/crypto.ko kldload /dist/boot/kernel/geom_eli.ko
This gives us a kernel that can use geom, and we'll point the geom utilities to the right directories:
export GEOM_LIBRARY_PATH=/dist/lib/geom
(versions before 7.0 will require a chroot as in Helio/man-install to work.)
Next, we'll give the disk an independent label:
geom label label -v geli0 /dev/ad0s1
Now, we'll initialize the geli provider:
geli init -b -a hmac/sha256 -s 4096 -K /keyfile /dev/label/geli0
And attach it:
geli attach -k /keyfile /dev/label/geli0
Now, we'll give it a BSD label:
bsdlabel -wB /dev/label/geli0.eli
and edit it:
bsdlabel -e /dev/label/geli0.eli
Now I created two partitions, /dev/geli0.elia, and /dev/geli0.elib, the first our root partition, and the second our swap.
Now, I'll use geom label to label the swap partition:
geom label label -v swap0 /dev/geli0.elib
And, we'll write a filesystem to root, and give it a label.
newfs -L rootfilesystem /dev/geli0.elia
and mount it:
mount /dev/ufs/rootfilesystem /mnt
[edit] Creating the bootable thumb drive.
Note: we assume /dev/da0 is the thumb drive, use geom disk list to find out what it is for your system.
First, let's write a bootsector/filesystem
fdisk -IB /dev/da0 bsdlabel -wB /dev/da0s1 newfs -L thumbboot /dev/da0s1a
Next, create a mountpoint for /boot, and mount it there:
mkdir /mnt/boot mount /dev/da0s1a /mnt/boot
And, we'll copy the keyfile.
mv keyfile /mnt/boot/keyfile
[edit] Extracting the system
Please see Helio/man-install for the complete instructions and explanation.
export DESTDIR=/mnt cd /dist/7.0-BETA2/base ./install.sh cd ../kernels ./install.sh GENERIC
[edit] Cleaning up /boot
Let's point boot2 to the right file:
echo "/loader" >> /mnt/boot/boot.config
Next, we'll create a link to pacify the loader. In this way none of the forth scripts have to be edited
cd /mnt/boot/ rm boot ln -s . boot
Now, open /mnt/boot/loader.conf in either ee or vi, and add the following:
geom_label_load="YES" geom_eli_load="YES" vfs.root.mountfrom="ufs:ufs/rootfilesystem" geli_label/geli0_keyfile0_load="YES" geli_label/geli0_keyfile0_type="label/geli0:geli_keyfile0" geli_label/geli0_keyfile0_name="/boot/keyfile" kernel="GENERIC"
Lastly, edit /mnt/etc/fstab with your favorite editor, and add these:
/dev/ufs/rootfilesystem / ufs rw 1 1 /dev/ufs/thumbboot /boot ufs rw,noauto 0 0 /dev/label/swap0 none swap sw 0 0
