View Single Post
  #8   (View Single Post)  
Old 15th December 2012
silex silex is offline
Port Guard
 
Join Date: Mar 2012
Posts: 18
Default boot from usb to 100% encrypted laptop zfs over geli

hi here i describe the procedure to encrypt everything including the freebsd system that i use on my laptop and use a usb key with the bootcode, kernel and keys, you can detach the usb media after system boots (btw you'll have to enter two passphrases).

boot from freebsd 9.x usb live disk da0, hard drive is ada0,

Code:
# gpart destroy -F ada0
# gpart create  -s GPT ada0
# gpart add -t freebsd-boot -l bootcode -s 128k ada0
# gpart add -t freebsd-swap -l swap   -s  8G ada0
# gpart add -t freebsd-zfs  -l system -s 10G ada0
# gpart add -t freebsd-zfs  -l local  ada0
# gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0
# glabel label -v system /dev/ada0p3
# glabel label -v local /dev/ada0p4

# dd if=/dev/zero of=/dev/da1
# gpart destroy -F da1
# gpart create  -s GPT da1
# gpart add -t freebsd-boot -l bootcode  -s 128k da1
# gpart add -t freebsd-ufs  -l cryptokey da1
# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da1
# newfs /dev/da1p2
# glabel label -v cryptokey /dev/da1p2
# mkdir /media
# mount /dev/label/cryptokey /media
# mkdir -m 700-p /media/boot/keys /media/backups
# mkdir /media/etc
# dd if=/dev/random of=/media/boot/keys/system.key bs=64 count=1
# dd if=/dev/random of=/media/boot/keys/local.key bs=64 count=1
# chmod 600 /media/boot/keys/*.key

# geli init -e aes -l 128 -K /media/boot/keys/system.key -b -s 4096 -B /media/backups/system.eli.meta /dev/label/system
# geli init -e aes -l 128 -K /media/boot/keys/local.key -b -s 4096 -B /media/backups/local.eli.meta /dev/label/local
# geli attach -k /media/boot/keys/system.key /dev/label/system
# geli attach -k /media/boot/keys/local.key /dev/label/local

# zpool create -f -o cachefile=/tmp/zpool.cache system /dev/label/system.eli
# zfs set mountpoint=none system
# zfs set checksum=fletcher4 system
# zfs set atime=off system
# zfs create system/ROOT
# zfs create -o mountpoint=/mnt system/ROOT/default
# zpool set bootfs=system/ROOT/default system

# zpool create -f -o cachefile=/tmp/zpool.cache local /dev/label/local.eli
# zfs set mountpoint=none local
# zfs set checksum=fletcher4 local
# zfs set atime=off local
# zfs create local/home
# zfs create -o mountpoint=/mnt/root local/root
# cd /usr/freebsd-dist/
# for T in base.txz kernel.txz; do
> tar --unlink -xvpJf ${T} -C /mnt
> done

# cp /tmp/zpool.cache /mnt/boot/zfs/

# cat << EOF >> /mnt/boot/loader.conf
> zfs_load=YES
> ahci_load=YES
> geom_eli_load=YES
> geli_label_system_keyfile0_load=YES
> geli_label_system_keyfile0_type="label/system:geli_keyfile0"
> geli_label_system_keyfile0_name="/boot/keys/system.key"
> geli_label_local_keyfile0_load=YES
> geli_label_local_keyfile0_type="label/local:geli_keyfile0"
> geli_label_local_keyfile0_name="/boot/keys/local.key"
> vfs.root.mountfrom="zfs:system/ROOT/default"
> EOF

# cat << EOF >> /mnt/etc/rc.conf
> zfs_enable=YES
> EOF

# echo /dev/ada0p2.eli none swap sw 0 0 > /mnt/etc/fstab

# cp -Rp /mnt/boot /media/
# cp /mnt/etc/rc.conf /media/etc/
# cp /mnt/etc/fstab /media/etc/

# zfs umount -a
# zfs set mountpoint=legacy system/ROOT/default
# zfs set mountpoint=/home local/home
# zfs set mountpoint=/root local/root
# reboot
now enter the 2 passphrases to decrypt system (freebsd os) and local (/home and /root) as suggested above make a virgin state snapshot; also i would suggest using mtree to check that the kernel on the usb key wasn't tampered to snoop your pass phrases, i'll add the script later on if i'm able to edit the post. best.
Reply With Quote