Since I need to have a small partition to host linux because of skype and other blobby software, I cannot fully encrypt my drive using softraid. For this, I create a partition as big as possible to host /home
in it and I get it encrypted.
As a reference, my partitions and their sizes are as follow (including a sd0b, swap of 8G):
Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 2.9G 1.2G 1.6G 42% /
/dev/sd0d 2.9G 79.3M 2.7G 3% /tmp
/dev/sd0f 9.8G 1.9G 7.5G 20% /usr
/dev/sd0l 486M 262M 200M 57% /usr/X11R6
/dev/sd0g 14.8G 13.2G 869M 94% /usr/local
/dev/sd0e 486M 92.0M 370M 20% /var
/dev/sd1a 325G 272G 36.3G 88% /home
As you can see, /home
has a different filesystem. In this page I explain step by step how to get any partition encrypted and mounted upon boot (I’ll be using /home
for the example).
After the usual installation, first you have to cange the FS type of the partition you want to encript to RAID
# disklabel -E /dev/sd0c
Label editor (enter '?' for help at any prompt)
> m h
offset: [39375296]
size: [460742208]
FS type: [4.2BSD] RAID
> w
> q
Write it over with random data
# umount /home/
# dd if=/dev/random of=/dev/rsd0h bs=4m
Get your passphrase to attach the CRYPTO volume
# bioctl -c C -l /dev/sd0h softraid0
New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sd1
Note that it’s sd1, don’t get confused from now. This is your new volume.
Zero out the first megabyte as well and create a partition “i”:
# dd if=/dev/zero of=/dev/rsd1c bs=1m count=1
1+0 records in
1+0 records out
1048576 bytes transferred in 0.017 secs (59328731 bytes/sec)
# fdisk -iy sd1
Writing MBR at offset 0.
# disklabel -E sd1
Label editor (enter '?' for help at any prompt)
> a a
offset: [64]
size: [460728071]
FS type: [4.2BSD]
Rounding size to bsize (64 sectors): 460728064
> w
> q
No label changes.
Create the new file system
# newfs /dev/rsd1a
Comment out /home
, or delete it, from /etc/fstab
and then add these bits to /etc/rc.local
for attept in 1 2 3 4; do
bioctl -c C -l df31d27ca420f865.h softraid0 && break
sleep 1
done
/usr/games/fortune -o
sleep 3
fsck /dev/rsd1a
mount -o nodev,nosuid,softdep cd321eba8d5d7422.a /home
The system will give up after four failed attempts. I got this last piece from Eric Radman. It is a good idea to use the uid format instead of /dev/sd1, because next time you plug in a, say, usb drive, the system might get confused. The line with fortune -o
is to make your day more interesting.
You can retrieve the uid of the disk by running
disklabel sd0a | grep uid
and of the encrypted partition by running
disklabel sd1a | grep uid