On 9/23/07, Roland Smith <[EMAIL PROTECTED]> wrote:
> On Sun, Sep 23, 2007 at 05:59:01PM +0100, Gabriel Dragffy wrote:
> > This sounds good. How exactly did you manage to encrypt discs and then
> > install freebsd there? I can just about setup software raid once freebsd is
> > installed, but by then I am unable to use a hard drive because it already
> > has freebsd on it.
> There is no point in encrypting the whole harddisk. The OS and ports can
> be downloaded from the internet. No point in keeping them secret. They
> might in fact facilitate a known-plaintext attack.

I agree, I did it more as an exercise to learn more about the way
FreeBSD works. On my laptop I have only the /home partition encrypted.

To answer the original question, however, I always install FreeBSD via
a stage install. By that I mean that I don't actually use sysinstall
for the final system. I get a USB drive and install the base OS onto
that. Then I download the source for whichever FreeBSD version I want;
my laptop is running CURRENT, for example. Configure make.conf and
src.conf files, create a custom kernel, then make buildworld
buildkernel in /usr/src.

While the system is building I prepare the actual drive, or RAID
array, that the final OS will be installed to. Create your software
RAID volumes, partition (slice) everything, if I want to use geli for
encryption then I would overwrite the target partition with random
data before doing geli init. For my full-disk encryption I actually
overwrote the entire disk and skipped slicing altogether. The kernel
was later installed to a usb flash drive and the entire disk was used
for FreeBSD. So instead of specifying things like ad0s1a in fstab, I
simply used ad0a - no slices. The point is that unless someone
actually knew that I had FreeBSD installed there, without the flash
drive all the data on the disk looks like garbage. There isn't even a
mbr to indicate partition types. At any rate, it was a fun experiment.

So once the drives are configured, mount everything under /mnt and
wait for the source to finish building. After than, you can do `make
DESTDIR=/mnt installworld` and just like that, your new system is
ready. Well, not quite... Run `mergemaster -iD /mnt` to copy all
configuration files, installkernel with KODIR=/mnt/boot/kernel to
install the kernel, use fdisk or boot0cfg to install mbr code, and
finally 'bsdlabel -B ...' for the other boot stages.

Installing the system this way also allows you to configure some
things before that first boot. Technically, you can do the same thing
from single-user mode, but this way may be more convenient. When
you're ready, reboot, change the boot order in BIOS, if you configured
everything correctly your new system should boot up with no problems.

- Max
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to