FreeBSD 10 with Full Disk Encryption on UFS Filesystem

Since its release on 1/20/2014, I have been trying to install FreeBSD 10 on my HP Pavilion dm3-1130us notebook with ZFS because I wanted to utilize its full disk encryption; however, every time I try, it failed during the boot process with the following messages: gptzfsboot: error 66 lba 48 gptzfsboot: error 66 lba 1 gptzfsboot: No ZFS pools located, can't boot

I googled but couldn't find any solutions even now. If anyone knows how to resolve this, I'm all ears.

Disclaimer:
The information in this site is the result of my researches in the Internet and of my experiences. It is solely used for my purpose and may not be suitable for others. I will NOT take any responsibility of end result after following these steps (although I will try to help if you send me your questions/problems).

So for now, I'm going to install it with full disk encryption on UFS instead. After many trial and errors, I found steps that worked on my system (thanks to BSD Now). I'll just list commands below just in case the site becomes unavailable in the future (it happens!).

Installation:

Follow the installation until the partition menu. Choose shell to manually configure the disk encryption before the OS is installed.

To view a list of disk devices, run: # sysctl kern.disks

With a blank disk, run: # gpart create -s gpt ada0

Or destroy existing one: # gpart destroy -F ada0

Create 3 partitions. The first is for the boot record, the second is an unencrypted /boot partition (from which the kernel is loaded) and the third is the large encrypted partition for the rest of the OS and files. # gpart add -t freebsd-boot -s 512k -a 4k ada0 # gpart add -t freebsd-ufs -l bootfs -s 1g -a 1m ada0 # gpart add -t freebsd-ufs -l encrypted -a 1m ada0

Install the bootcode: # gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

Encrypt the partition: # geli init -b -s 4096 ada0p3 Enter passphrase: Reenter passphrase:

Attach the device: # geli attach ada0p3 Enter passphrase: cryptosoft0: on motherboard GEOM_ELI: Device ada0p3.eli created GEOM_ELI: Encryption: AES-XTS 128 GEOM_ELI: Crypto: software

Format the partitions: # newfs -U /dev/ada0p2 # newfs -U /dev/ada0p3.eli

Mount the partitions: # mount /dev/ada0p3.eli /mnt # mkdir /mnt/unenc # mount /dev/ada0p2 /mnt/unenc # mkdir /mnt/unenc/boot # ln -s unenc/boot /mnt/boot

Create the fstab file: # vi /tmp/bsdinstall_etc/fstab ---------------------------------------------------- # Device Mountpoint FStype Options Dump Pass# /dev/ada0p2 /unenc ufs rw,noatime 1 1 /dev/ada0p3.eli / ufs rw,noatime 2 2

Automatically load the kernel modules that are required for booting from an encrypted volume: # vi /tmp/bsdinstall_boot/loader.conf ---------------------------------------------------- geom_eli_load="YES" vfs.root.mountfrom="ufs:ada0p3.eli"

Exit out and follow the rest of installation. After rebooting, it should prompt for passphrase.

However, on my system there was a bit of gotcha after the reboot: FreeBSD10_encryption

As you might see in above image, some kernel messages followed right after the passphrase prompt. I did not realize this for a while and made me think that the encryption failed (and it took me a while to figure out...). To confirm the encryption is working, press Enter. The passphrase prompt shows up again: GEOM_ELI: Wrong key for ada0p3. Tries left: 2. Enter passphrase for ada0p3:

That's all!
-gibb

4 comments

  1. Erik

    Excelent guide, straight forward and works.

    But, why the need to create /unecn/boot and symlink rather than mount directly in /boot?

    Is there a way to create say, /home separate encrypted partition but automount with a key stored on the encrypted / ?

  2. Hal

    Hi, I ran across your website because I ran into the same problem! I also have an HP dm3-1130us. I’ve tried gpt ufs and it works fine but gpt with zfs, even manually creating the filesystems have thrown the same error. Did you ever find a solution?

    Thanks,

    Hal

  3. david

    This works great during the install but when I was looking to upgrade the system with freebsd-update it gave me a message saying “cannot identify running kernel”. I searched around and it seems the freebsd-update gets the kernel version from the kern.bootfile tunable and because /dev/ada0p2 was mount to /mnt/unenc but the mountpoint in /etc/fstab was /unenc then /boot was symlinked to the wrong path. I fixed the issue by symlinking /boot to /unenc/boot instead of /mnt/unenc/boot and the upgrade went smoothly

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>