소프트웨어 FreeBSD 설치때, io에러 해결설명(펌)
2013.04.23 01:29
https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/
https://lists.freebsd.org/pipermail/freebsd-questions/2011-December/235919.html
https://www.tldp.org/HOWTO/Linux+FreeBSD-2.html
https://www.wonkity.com/~wblock/docs/html/disksetup.html
우리말이 아니라 좀 그렇지만...
안돌아가는 머리에 쥐 좀 날듯,ㅎ
설명의 요점은 초기 설치시에 GPART 가 에러를 유발하는것을 무시하고,
그냥은 안되니, 라이브시디로 들어가서 수동으로
이미 있어가지고, 에러나 만들고 있는넘을 강제로 지워버리고,
새로 만들어서 비번 만드는 작업이랑 모든것을 하라는 얘기 같은데,
저도 이젠 시간날때봐서 한번 해봐야 할것같습니다.
Full disk encryption in FreeBSD 9.x (well, almost!)
This article will tell you how to fully encrypt your hard disk in FreeBSD 9.x.
When I say ‘fully’, I mean as close as possible.
It will leave the bootloader and /boot folder unencrypted,
but everything else will be encrypted (including your swap space).
Basically, all your data is encrypted and that’s the point…
Boot from any FreeBSD 9 install medium (except bootonly),
and choose Live CD at the installer menu.
For this article, I will assume you’re using the /dev/ada0 disk,
a 10GB /boot, a 4GB swap and remaining disk encrypted.
The contents will be encrypted using AES-XTS 256-bit encryption
with a 4 kilobit random data partial key and a passphrase
(required to type on boot).
This method requires no external data
(no USB sticks, no bootable CDs to boot the OS)
? but does not offer two factor authentication
which is better than this method.
For general encryption needs, this method is more than sufficient.
Note that more recent CPUs support AESNI flag for offloading.
As GELI uses the crypto(4) framework,
the OS will utilise this function of your CPU
to assist the encryption to decrease CPU load.
First, we need to remove any existing
GPT or MBR partition tables on the disk
? ignore any ‘invalid argument’ messages you get at this stage:
gpart destroy -F ada0
Now we need to initialise a new GPT partition table, as follows:
gpart create -s gpt ada0
We will now create a 64kb boot partition (this contains the boot loader only,
so is safe and required to be unencrypted):
gpart add -s 128 -t freebsd-boot ada0
Next, we will create the /boot partition
? you can adjust the sizes here if you need,
but i’d suggest not shrinking it too much
or you’ll get into problems when doing OS upgrades later…
gpart add -s 10G -t freebsd-ufs ada0
Now for a swap partition. Again, you can adjust the size if needed.
This will be encrypted during boot with a one-time 256bit key.
gpart add -s 4G -t freebsd-swap ada0
Finally, we assign the remaining data to a partition.
This will form the entire disk (excluding /boot)
and will be encrypted shortly.
gpart add -t freebsd-ufs ada0
OK, so we’ve created… ada0p1 (bootloader),
adap2 (unencrypted /boot partition), adap3 (swap partition)
and adap4 (encrypted disk partition).
We need to write the boot loader to the disk now:
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0
Now we need to format the /boot partition:
newfs -O2 -U -m 0 -j /dev/ada0p2
And temporarily mount it as /mnt:
mount /dev/ada0p2 /mnt
Now we will create a 4kb random data file
that will form part of the encryption key:
dd if=/dev/random of=/mnt/encryption.key bs=4096 count=1
Now we’re in a position to encrypt the main disk.
This part will ask for a passphrase twice to complete:
kldload geom_eli
geli init -a HMAC/SHA256 -b -B /mnt/ada0p4.eli -e AES-XTS -K /mnt/encryption.key -l 256 -s 4096 /dev/ada0p4
geli attach -k /mnt/encryption.key /dev/ada0p4
You will receive some messages on the console
about checksum mismatches
? this is normal and please ignore them.
If you have time, I recommend writing the entire disk
with random data to initialise the checksums.
This is a VERY time consuming step ? you can skip it if you wish, but it is recommended:
dd if=/dev/random of=/dev/ada0p4.eli bs=1m
Next we will unmount the old parition so we can mount the new “root” after formatting
(and re-mount the /boot partition too):
umount /mnt
newfs -O2 -U -j -m 6 /dev/ada0p4.eli
mount /dev/ada0p4.eli /mnt
mkdir /mnt/bootdir
mount /dev/ada0p2 /mnt/bootdir
OK, we’re ready to install the OS files onto the disk now…
We will install the base, kernel, src and ports tarballs as follows:
cd /mnt
unxz -c /usr/freebsd-dist/base.txz | tar xpf -
unxz -c /usr/freebsd-dist/kernel.txz | tar xpf -
unxz -c /usr/freebsd-dist/src.txz | tar xpf -
unxz -c /usr/freebsd-dist/ports.txz | tar xpf -
Note: this can take a while (especially the ports extraction)
so please be patient.
If you’d like to see some kind of progress, change the “xpf” to “xvpf”
and it will scroll the files to the screen as they are extracted.
Now we have to move the /boot folder to the unencrypted partition
(it’s really not much use if it’s encrypted!)
? we will also move the keyfile and backup file into the /boot folder:
mv boot bootdir/
ln -fs bootdir/boot
mv encryption.key ada0p4.eli bootdir/boot/
Now we need to prepare a few things in the installed OS
? so we will chroot into the folder:
chroot /mnt
We need to tell the boot loader to load kernel modules for decryption,
and also tell it about the keyfile for the partition…
edit the file /boot/loader.conf and enter the following:
vfs.root.mountfrom=”ufs:/dev/ada0p4.eli”
aesni_load=”YES”
geom_eli_load=”YES”
geli_ada0p4_keyfile0_load=”YES”
geli_ada0p4_keyfile0_type=”ada0p4:geli_keyfile0″
geli_ada0p4_keyfile0_name=”/boot/encryption.key”
Now we need to tell the system
to encrypt our swap space using a one-time key
on each boot (note: this prevents system dumps from working)
… edit /etc/rc.conf and enter:
geli_swap_flags=”-e AES-XTS -l 256 -s 4096 -d”
Next we need to tell the system our mountpoints…
edit the file /etc/fstab and enter:
# Device Mountpoint FStype Options Dump Pass#
/dev/ada0p4.eli / ufs rw 0 0
/dev/ada0p2 /bootdir ufs rw 1 1
/dev/ada0p3.eli none swap sw 0 0
Now we need to initialise a few things… let’s start by setting the root password:
passwd root
And configuring your timezone:
tzsetup
And initialise the sendmail aliases file:
cd /etc/mail
make aliases
You can do any other system setup you need now, such as adding users,
configuring SSH or networking… when you’re done:
exit
Now we’re done, we can reboot…
reboot
On boot, you will see a prompt for:
Enter passphrase for ada0p4:
Note, however, that devices are still being detected while this occurs
so it may scroll off the screen (usually while detecting USB devices)
? this doesn’t affect your ability to enter the passphrase,
but can be confusing if you’re not expecting it!
Once the system is up and running, you can use it as normal.
The only point to note is that when you do an OS upgrade,
during the “mergemaster” stage,
it will complain that /boot is a symlink not a directory.
Simply tell it to ignore/do nothing and it will install the files as normal.
댓글 [0]
번호 | 제목 | 글쓴이 | 조회 | 추천 | 등록일 |
---|---|---|---|---|---|
[공지] | 사용기/설치기 이용안내 | gooddew | - | - | - |
1559 | 하드웨어| 컴조립시 사타포트 연결순서도 중요한것 같아요. [3] |
|
6320 | 0 | 06-03 |
1558 | 하드웨어| 메인보드가 바뀌어도 인증은 유지됩니다.^^.. [16] |
|
6141 | 0 | 05-29 |
1557 | 소프트웨어| 하드디스크 손상! 파일 복구 일지 [9] | 도라란 | 5869 | 0 | 05-26 |
1556 | 하드웨어| usb 외장하드 보다는 크래들이 멋지군요.. [12] |
|
5547 | 0 | 05-24 |
1555 | 소프트웨어| Win8MpeL 1.0 사용기 [27] | 루로우니 | 6867 | 0 | 05-20 |
1554 | 윈 도 우| 이젠 IE8로 작동안되는곳들이있네요 [5] | 칼슘 | 3698 | 0 | 09-26 |
1553 | 소프트웨어| 리눅스 민트에서 한글2010(수식 작성, 편집가능) 사용하기 [12] | 언제나당당 | 6958 | 0 | 05-08 |
1552 | 소프트웨어| 리눅스 민트 생각하시는 분들...... [4] | 언제나당당 | 5020 | 0 | 05-02 |
1551 | 소프트웨어| 리룩스 민트와 우분투의 차이...... [8] | 언제나당당 | 4948 | 0 | 05-02 |
1550 | 소프트웨어| win8 32비트에서 4기가 메모리 패치하기.. [5] |
|
7120 | 0 | 04-29 |
1549 | 하드웨어| 이지넷유비쿼터스 NEXT-852DCU3 USB 3.0 (하드미포함) [3] | 하늘보기 | 5876 | 0 | 04-30 |
1548 | 소프트웨어| Hi-DPI 모니터 화대화면에서의 4대 브라우저 비교. [3] | 빛과그림자 | 4197 | 0 | 09-08 |
1547 | 소프트웨어| 데비안의 APT-GET 은 유료 인지, 무료 인지 헷갈립니다. [2] | ㅇㅁㅁ | 3529 | 0 | 04-24 |
1546 | 소프트웨어| 크롬은 탭으로 열도록 강제 [5] | 공초 | 4472 | 0 | 04-23 |
1545 | 하드웨어| Transcend TS-RDF5 USB 3.0 + 삼성전자 micro SDHC Plus CL... [2] | 직장인 | 5203 | 0 | 04-23 |
» | 소프트웨어| FreeBSD 설치때, io에러 해결설명(펌) | ㅇㅁㅁ | 4821 | 0 | 04-23 |
1543 | 소프트웨어| 크롬, 웹마2, 기본 인터넷 익스플러 3가지 설치 비교 후 ... [20] |
|
4814 | 0 | 04-23 |
1542 | 소프트웨어| Snapshot 이것도 간편하고 좋은것같네요.(본인컴에서만) [2] |
|
4697 | 0 | 04-04 |
1541 | 소프트웨어| boot/bcd 에러 고군분투기..... [6] | 윈땡 | 9390 | 0 | 04-04 |
1540 | 소프트웨어| 동방전패님 포터블 윈도우 미디어 64비트 사용 관련 리뷰입... [18] |
|
7381 | 0 | 04-04 |