Created
September 27, 2016 01:08
-
-
Save l2ol33rt/2f0f3b5f12d70fb32e31ad062feb55cd to your computer and use it in GitHub Desktop.
Create encrypted geli zpool against single disk on FreeBSD 10.3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#/bin/sh | |
# Create partitions | |
gpart destroy -F /dev/ada0 | |
gpart create -s GPT /dev/ada0 | |
gpart add -t efi -s 100M -a 1M -l EFI /dev/ada0 | |
gpart add -t freebsd-swap -s 8G -a 1M -l freebsd-swap /dev/ada0 | |
gpart add -t freebsd-ufs -s 10G -a 1M -l freebsd-ufsboot /dev/ada0 | |
gpart add -t freebsd-zfs -a 1M -l freebsd-zfsgeli /dev/ada0 | |
# UEFI Configure | |
newfs_msdos -F 16 -L FreeBSD_EFI /dev/ada0p1 | |
mkdir /tmp/efi | |
mount -t msdosfs /dev/ada0p1 /tmp/efi | |
mkdir -p /tmp/efi/EFI/BOOT | |
cp /boot/boot1.efi /tmp/efi/EFI/BOOT/BOOTX64.EFI | |
umount /dev/ada0p1 | |
# UFS Boot partition | |
newfs -L ufsboot -S 4096 /dev/ada0p3 | |
mkdir /tmp/ufsboot | |
mount /dev/ada0p3 /tmp/ufsboot | |
# Enable AES | |
kldload aesni | |
# Geli stuff | |
mkdir -p /tmp/ufsboot/boot/geli | |
chmod 750 /tmp/ufsboot/boot/geli | |
dd if=/dev/random of=/tmp/ufsboot/boot/geli/ada0p4.key bs=64 count=1 | |
chmod 640 /tmp/ufsboot/boot/geli/ada0p4.key | |
geli init -e AES-XTS -l 128 -s 4096 -b -K /tmp/ufsboot/boot/geli/ada0p4.key /dev/ada0p4 | |
cp /var/backups/ada0p4.eli /tmp/ufsboot/boot/geli/ | |
geli attach -k /tmp/ufsboot/boot/geli/ada0p4.key /dev/ada0p4 | |
# ZFS | |
zpool create -R /mnt -O canmount=off -O mountpoint=none -O atime=off -O compression=lz4 zroot /dev/ada0p4.eli | |
# Container for boot environments: | |
zfs create -o canmount=off -o mountpoint=none zroot/ROOT | |
# Default boot environment: | |
zfs create -o mountpoint=/ zroot/ROOT/master | |
# Things we want to be unique for each boot environment: | |
zfs create -o mountpoint=/usr/jails zroot/ROOT/master/jails | |
zfs create -o mountpoint=/usr/local zroot/ROOT/master/local | |
zfs create -o mountpoint=/usr/ports zroot/ROOT/master/ports | |
zfs create -o mountpoint=/var zroot/ROOT/master/var | |
zfs create -o mountpoint=/var/log zroot/ROOT/master/log | |
# Things we want to be common across boot environments: | |
zfs create -o mountpoint=/usr/home zroot/home | |
zfs create -o mountpoint=/usr/obj zroot/obj | |
zfs create -o mountpoint=/usr/ports/distfiles zroot/distfiles | |
zfs create -o mountpoint=/usr/src zroot/src | |
zfs create -o mountpoint=/tmp zroot/tmp | |
zfs create -o mountpoint=/var/tmp zroot/vartmp | |
# Setup boot | |
umount /dev/ada0p3 | |
mkdir /mnt/ufsboot | |
mount /dev/ada0p3 /mnt/ufsboot | |
echo "Installing FreeBSD!" | |
cd /mnt | |
for i in base kernel ; do \ | |
tar -xf /usr/freebsd-dist/${i}.txz -C . | |
done | |
cp -a boot/* ufsboot/boot/ | |
rm -rf boot | |
ln -s ufsboot/boot boot | |
cat << EOF > /mnt/etc/fstab | |
# Device Mountpoint FStype Options Dump Pass# | |
/dev/ada0p2.eli none swap sw,ealgo=AES-XTS,keylen=128,sectorsize=4096 0 0 | |
/dev/ada0p3 /ufsboot ufs rw 1 1 | |
EOF | |
cat << EOF > /mnt/boot/loader.conf | |
aesni_load="YES" | |
geom_eli_load="YES" | |
geli_ada0p4_keyfile0_load="YES" | |
geli_ada0p4_keyfile0_type="ada0p4:geli_keyfile0" | |
geli_ada0p4_keyfile0_name="/boot/geli/ada0p4.key" | |
zfs_load="YES" | |
vfs.root.mountfrom="zfs:zroot/ROOT/master" | |
EOF | |
cat << EOF > /mnt/etc/rc.conf | |
zfs_enable="YES" | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment