FreeBSD Full-Disk Encryption on a UFS Root Partition

Dec 27, 2020 · 3 mins read
FreeBSD Full-Disk Encryption on a UFS Root Partition
Share this

The FreeBSD community is quite adamant of the operating sytem’s ability to setup ZFS with ease & stability. So much so that it’s the default file sytem when using a guided full-disk encryption installation.

For an antiquated laptop with limited resources, I don’t really need the ZFS bloat, but I do understand it’s advantages. That’s why I created this concise guide for like-minded BSD users that prefer to revert to UFS while still maintaining a stable full-disk encryption.

Setting up partitions

Once you’ve booted into the FreeBSD installer, drop into a Shell instead of doing the typical Install route:

FreeBSD Installer

Now that you are at the command line, you will need to figure out which block device is associated with your hard drive. You may do this using:

gpart show

Since ada0 is a typical example, we will go with this for now. Just to make sure, it’s a good idea to destroy the current partition table and write a brand-new GPT table:

gpart destroy -F ada0
gpart create -s gpt ada0

If using a legacy BIOS, you can simply create a dedicated boot partition:

gpart add -t freebsd-ufs -l freebsd-boot -a 4k -s 200m ada0
newfs -t -U -L bootfs /dev/gpt/freebsd-boot

For thos using a UEFI-only system, be sure to prior to the above step using this chain of commands:

gpart add -t efi -l freebsd-efi -a 4k -s 800k ada0
newfs_msdos /dev/gpt/freebsd-efi
mount -t msdosfs /dev/gpt/freebsd-efi /mnt
mkdir -p /mnt/EFI/BOOT
cp /boot/boot1.efi /mnt/EFI/BOOT/BOOTX64.efi
echo BOOTx64.efi > /mnt/EFI/BOOT/STARTUP.NSH
umount /mnt

When you have all that resolved, you are free to create the root partition for your hard drive (where your main files will be stored):

gpart add -t freebsd-ufs -l freebsd-root -a 4k ada0

GELI Encryption Setup

You should remain in the command line after creating your root partition.

Wrapping your root partition in an encrypted GELI container is as simple as running this command:

geli init -b -e AES-XTS -l 256 -s 4096 /dev/gpt/freebsd-root

You will then be asked to create a passphrase. Be sure to create something quite long, complex, yet easy enough to remember for daily use. With a decent password, it would be unlikely anyone will be able to steal your files if you laptop is ever stolen.

Then let’s attach the partition so it’s usable by the installer:

geli attach /dev/gpt/freebsd-root

Now you may go ahead and format this container partition into the UFS file system:

newfs -t -U -L rootfs /dev/gpt/freebsd-root.eli

Now set a mount point to be used within the installer:

mount /dev/gpt/freebsd-root.eli /mnt

As a duct-tape hack, we also need to create a symbolic link to the boot loader’s directory:

mkdir /mnt/bootfs
mount /dev/gpt/freebsd-boot /mnt/bootfs
cd /mnt
mkdir bootfs/boot
ln -s bootfs/boot

To make the file system bootable, edit the fstab and loader.conf as so:

vi /tmp/bsdinstall_etc/fstab

and add the lines:

/dev/gpt/freebsd-root.eli /       ufs rw 1 1
/dev/gpt/freebsd-boot     /bootfs ufs rw 0 0
vi /tmp/bsdinstall_boot/loader.conf

and add the lines:

geom_eli_load="YES"
vfs.root.mountfrom="ufs:ada0p3.eli"

Now you are free to issue the exit command within the shell to return to the original menu. This time, select the Install option and continue as if it were a regular installation.

Sponsors

Best VPN
Join Newsletter
Get the latest post right in your inbox.