Is full disk encryption with UFS possible?

[LucNix]

I'm sure you are going to say "YES" but please not so fast.

1. When installing FreeBSD 14.0, I am offered the choice between ZFS and UFS. If I select ZFS, the option to encrypt is there, very clear, impossible to miss. If I select UFS though, encryption is never mentioned at all. Does FreeBSD intend to "deprecate" (and eventually abandon) UFS?

2. I searched and found these among others:

FreeBSD 10 with Full Disk Encryption on UFS Filesystem |

HOWTO: Quick GELI encryption guide

There are many ways to do this, as presented on forum, but this is the simplest method I've used. This assumes you are using UFS for your disks. I will encrypt my AsusEEE which I carry with me everywhere and holds sensitive data. This guide will encrypt whole disk, while using another small...

forums.freebsd.org

And of course the official GELI documentation. I had to step away from the official GELI documentation because it's too difficullt for me to follow.

Both methods mentioned above involve using an unencrypted partition for /boot and an encrypted partition for everything else. However,

1. That's not what I want. If /boot is unencrypted, that is an obvious attack vector. The kernel could be easily tampered with. I want full encryption, EVERYTHING including boot.

2. I have installed FreeBSD with ZFS in the past and it did have full disk encryption, including boot.

So, can it be done with UFS? How?

TIA

 

[samjenk]

Does FreeBSD intend to "deprecate" (and eventually abandon) UFS?

To the best of my knowledge, no, but I think it's clear that it doesn't get the same attention that OpenZFS does. In more than one lecture of Kirk McKusick's, he talks about how UFS now really only makes sense in embedded or low-power applications, where you need to have a little code running as possible. The typical general-purpose server or high-end storage appliance is going to have plenty of resources enough to run OpenZFS, so it might as well, given all of the advantages it offers. That said, people definitely still use UFS; spin up an AWS EC2 instance from the AMI published by the FreeBSD Foundation and you see it's in use there.

So, can it be done with UFS? How?

The different treatment of UFS under encrypted GELI by the FreeBSD installer doesn't appear to be new. It was the topic of Thread 77940 back in 2020. That thread was never marked "solved", but there is a post at the end that tries to address a typo that the OP listed in his latest fix. Have you tried the procedure recommended there?

 

[LucNix]

Yes, I've seen those two videos. Both use unencrypted boot.

 

[T-Daemon]

2. I have installed FreeBSD with ZFS in the past and it did have full disk encryption, including boot.

Technically it's not a full disk encryption. The boot loader partitions are unencrypted, they can not be encrypted. What can be geli(8) encrypted to get a bootable system are system root partition(s), with UFS and ZFS file systems, including /boot, and other non-system partitions, like swap, additional partitions, whole disks also. Those can have FreeBSD native or third party application supported file systems. geli(8) doesn't care what file system is inside the provider.

It's possible to install a all partitions encrypted disk (one partition for root, one swap, eventually additional partitions) and the boot loader partition on a USB stick (to be removed when system powered down).

I've tried that in the past, but it requires a /boot partition on the USB stick (haven't tried encrypted /boot, though).

I also tried with a whole disk as a geli(8) provider, not partitions, for the root system. The partitioning scheme and partitions are created inside the attached geli(8) provider. But the loader couldn't find a partition to boot from. Apparently it isn't designed to find one that way.

But if one wants to conceal that a disk contains data files, then this would be the way to go. No partitions visible, plausible deniability (when disk geli(8) un-attached).

So, can it be done with UFS? How?

This is a all manually installation guide of a geli(8) configured Root-on-UFS (including /boot) and swap partitions encrypted system.

A semi-guided installation does not work (dropping at the "Partitioning" dialog to "Shell", manually partitioning, geli (8) initializing partitions, attaching them, etc., exit shell). The disk selection dialog does not list the geli(8) attached disk as a installation target.

• Boot installation media
• Choose "Live System" or change console: Alt + F5
• log in, user name: root

Create partitioning scheme
 
   gpart create -s gpt ada0

If system UEFI, add ESP partition
 
   gpart add -t efi -a 4k -l efi0 -s 260m ada0

If system BIOS (and optional on UEFI, to switch between systems) add freebsd bootstrap code partition
 
   gpart add -t  freebsd-boot -l boot0 -s 512k ada0

Add UFS root partition. Set N to size (in g or m) desired with space left for swap
 
   gpart add -t freebsd-ufs -l uroot0 -a 1m -s N ada0

Swap partition

  gpart add -t freebsd-swap -l swap0 ada0

  gpart show -p
    ada0p1  efi   (260M)
    ada0p2  freebsd-boot (512k)
            - free -
    ada0p3  freebsd-ufs  (nG)
    ada0p4  freebsd-swap (nG)

Format Efi System Partition

  newfs_msdos -c1 -F32 /dev/ada0p1

Create ESP directories

  mount_msdosfs /dev/ada0p1 /mnt
  mkdir -p /mnt/efi/freebsd
  mkdir /mnt/efi/boot

Copy efi boot loader

  cp /boot/loader.efi /mnt/efi/freebsd
  cp /boot/loader.efi /mnt/efi/boot/bootx64.efi
  umount /mnt

Copy freebsd bootstrap code for BIOS (optional on UEFI)

  gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 2 ada0

Number of -i may vary, depending on the order and number of partitions

Initilize geli(8) swap provider

  geli onetime -l 128 ada0p4

Initilize geli(8) system root provider

  geli init -g -l 256 -s 4096 ada0p3
  password

Attach geli(8) system root provider

  geli attach ada0p3

Create UFS file system in provider

  newfs -jU /dev/ada0p3.eli

Mount file system

  mkdir /tmp/a
  mount /dev/ada0p3.eli /tmp/a

Extract base and kernel distribution sets (if wish, all the other)

  cd /usr/freebsd-dist
  tar xfC base.txz /tmp/a
  tar xfC kernel.txz /tmp/a

chroot(8) into new system

  chroot /tmp/a

Set system bootstrap configuration information
Use ee(1) instead of vi(1) if unfamiliar with vi

  vi /boot/loader.conf

    geom_eli_load="YES"
    cryptodev_load="YES"

Set static file system information

  vi /etc/fstab

    /dev/ada0p3.eli   /            ufs     rw     1     1
    /dev/ada0p4.eli   none         swap    sw     0     0
    /dev/ada0p1       /boot/efi    msdosfs rw     2     2

Set root password

  passwd

Exit chroot(8), boot into new system, configure system manually or guided (bsdconfig(8)).

When initializing geli provider, instead of disk names, gpt labels can be used

gpart show -l

  1  efi0
  2  boot0
  3  uroot0
  4  swap0

  geli init -b -g -l 256 -s 4096 gpt/uroot0
  geli attach gpt/uroot0
 
  newfs -jU /dev/gpt/uroot0.eli

  mount /dev/gpt/uroot0.eli /tmp/a

 fstab
   /dev/gpt/uroot0.eli ....
   /dev/gpt/swap0.eli  ....
   /dev/gpt/efi0       ....

For command details see the corresponding manuals.

 

[weberjn]

Another option is to reboot -r into an geli encrypted partition. Two systems on two partitions, the first unencrypted, the second geli.

Boot from the un-encrypted partition, from there type in password to unlock geli partition and reboot -r into it.