Installing FreeBSD 9.0 with encrypted root fs (all ufs)


  • Freebsd 9.0 (beta 1 used here)
  • Encrypted Root
  • UFS
  • /boot unencrypted
  • GPT


Disc encryption protects the computer from physical data theft. If you laptop’s stolen, you have some protection against you data getting in the wrong hands.

The Hardware is use is rather old. The system has only 512G RAM and a 32 bit CPU, so ZFS is out of the question. The filesystem being used will be UFS.


  • download and burn the disk1 cd image. (alternatively, you could use an USB image, but my old hardware doesn’t like those)
  • start the installation


With Freebsd 9, sysinstall is gone and replaced by bsdinstall. This makes installations with disk encryption a bit easier. Mostly, because the life environment is easier to use. (loading modules an such)

Also, we don’t have to do everything from the live environment. Just the partitioning and some tweaks with the configs in the end.

(Note: With bsdinstall you can just press ‘enter’ to accept a screen)

  • In the “Welcome” menu, choose “Install”
  • Choose your keyboard layout
  • Type in your hostname
  • Choose the optional system components as you wish
  • When it comes to disk partitioning, choose “Shell” (key ‘s’)

setup information

The disk we use for the whole system is ‘ada0′. We’ll use gpt labels to make sure everything runs smooth if we decide to change or add some hardware later.


Kernel modules get loaded automagically when we need them, so we can jump into action right away. What we need to do is:

  1. create gpt partition scheme
  2. create boot block
  3. create and format boot partition
  4. create and init encrypted volume
  5. format encrypted volume
  6. mount file systems to /mnt
  7. continue installation

(1) create boot block

# gpart destroy -F ada0
# gpart create -s gpt ada0

(2) create boot block

# gpart add -t freebsd-boot -s 64k ada0
# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

(3) create and format boot partition

# gpart add -t freebsd-ufs -s 256m -l boot ada0
# newfs -U gpt/boot
  (Note: we use the label 'boot' here)

(4) create and init encrypted volume

# gpart add -t freebsd-ufs -l enc ada0
  (Note: it's not an ufs volume, but a geli volume,
         dunno how to properly 'type' such a partition)
# geli init -bl 256 gpt/enc
  (set your password now)
# geli attach gpt/enc

(5) format enrypted volume

# newfs -U gpt/enc.eli
  (note the .eli !!!)

(6) mount file systems to /mnt

# mount /dev/gpt/enc.eli /mnt
# mkdir /mnt/boot2
# cd /mnt
# ln -s boot2/boot boot
# mount /dev/gpt/boot /mnt/boot2

(7) continue installation

# exit

The installation of the distribution sets will run now. Time to make a cup of coffee (on my hardware, at least).

Note: At some point here the screen was messed up by some debugging messages. First, i though it’s a kernel panic, but somewhere on the screen things changed (progress bar was at 8 places, hard to describe..). Luckily, the installation continued and when i had to enter to root password, the screen was fine again. :-D

Config files

When you are at the screen “Final Configuration”, where you can get back to dialogs from before, you should choose “Shell” to change the config files. This will bring us in a chroot of our installed system.

The files we need to visit are fstab(5) and loader.conf(5).


# vi /boot/loader.conf
  (note: the file didn't exist for me)

Now add the following lines:


Note: You MUST put the right side of the = in apostrophes. The file won’t parse otherwise!!!


# vi /etc/fstab

Add the following lines:

/dev/gpt/boot    /boot2   ufs    rw,noatime    1    1
/dev/gpt/enc.eli /        ufs    rw,noatime    1    1


We’re done.

To reboot, enter:

# exit

and choose “Exit” (key ‘e’). Then “Reboot” (key ‘r’).

Useful tips

If your installation failed at some point and you need to make changes to the installed system from a life cd, having a wrong keyboard layout drives you insane. For german folks:

# kbdcontrol -l german.iso

Comments are closed.