You are on page 1of 2


Boot FreeBSD install from your favourite medium. Allocate whole disk for FreeBSD
slice. Inside that slice, allocate 400MB UFS partition with root mount point (/
). Allocate the rest of the slice as /mnt mount point. Proceed with installation
, install only base system and kernel, and don't configure anything except root
password. Boot and login as root into your new install
Preparation of GELI device
Right now, the future-to-be root filesystem is unencrypted, empty UFS filesystem
. It wasn't necessary to create the filesystem itself, but it's the fastest way
so you don't need to label stuff manually outside first installation step. Unmou
nt it;
#umount /mnt
For the sake of example, small root filesystem is ad0s1a, and empty future root
is ad0s1d.
Create the GELI keyfile;
#dd if=/dev/random of=/boot/key bs=64 count=1
Now we initialize GELI encrypted partition with that key, using default encrypti
on algorithm;
#geli init -b -s 4096 -K /boot/key /dev/ad0s1d
Type your passpharse twice.
Let's attach the partition to the system;
#geli attach -k /boot/key /dev/ad0s1d
Type your passpharse. GELI will create the /dev/ad0s1d.eli block device, which y
ou can access now.
Let's create the filesystem.
#newfs /dev/ad0s1d.eli
So now, we have a UFS filesystem contained inside GELI encrypted partition. This
partition will be our encrypted root.
Installation of root filesystem
We'll just copy all relevant files from small root to new root partition. The sm
all root will become the "boot" partition, containing only kernel, and GELI keyf
ile for root mounting. Let's first mount the new root somewhere;
#mount /dev/ad0s1d.eli /mnt
Now we copy the files,
#cp -p * /mnt
#cp -Rvp .snap /mnt
#cp -Rvp bin /mnt
#cp -Rvp dev /mnt
Repeat the recursive directory copy for every subdirectory of root, except boot
directory and the mnt directory. Since we'll mount this directory as root direct
ory on next boot, we'll lose access to the original root filesystem which contai
ns the kernel. We'll do a trick around that;
#cd /mnt
#mkdir mnt
#mkdir mnt/boot
#mount /dev/ad0s1a mnt/boot
Edit /mnt/etc/fstab to reflect new configuration;
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1d.eli / ufs rw 1 1
/dev/ad0s1a /mnt/boot ufs rw 2 2
...and symlink the mounpoint to /boot, so we have the original entry.
#ln -s /mnt/mnt/boot/boot /mnt/boot
Enable GELI root mounting
What's left is to tell kernel that it needs to load GELI, and tell GELI about th
e encrypted partition and keyfile, so it can ask you for passpharse and create /
dev access node, and again tell kernel to mount root from that block device. So
we edit the /boot/loader.conf, to contain this;
And it's done. Reboot, you'll be asked for a passpharse, and you'll land in encr
ypted root filesystem.
Afterwards, you can access the original small root partition at /mnt/boot, and w
ipe everything except the boot (/mnt/boot/boot) subdirectory.