in Freebsd ZFS Geli zroot ~ read.

Geli only ZFS boot Freebsd 11-Current

Ya, This doesn't work any more.
The freebsd gpt Bootloader can now quite easily boot of geliencrypted ZFS pools. These instructions are quite terse.

  • Install using the latest 11-Current ISO, When choosing disk-layout choose auto root on ZFS with encryption.

  • Remove all GELI_* entries and change geom_eli_passphrase_prompt="YES" to geom_eli_passphrase_prompt="NO" in loader.conf

vi /boot/loader.conf  
  • Grab the latest sources
  • recompile and install the latest 11-Current. with boot-parts
  • Copy /boot from bootpool to zroot and destroy the bootpool, we'll be booting from zroot encrypted from now on.
  • Install the latest gptzfsboot and remove the key-encryption on zroot partition.
  • Finally we destroy the partition holding the old boot environment.
svn checkout /usr/src/  
cd /usr/src  
make -j 4 buildworld  
make -j 4 buildkernel KERNCONF=GENERIC-NODEBUG  
make installkernel KERNCONF=GENERIC-NODEBUG  
make -C sys/boot install  
make installworld  
gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0  
geli setkey /dev/ada0p4  
rm /boot  
cp -r /bootpool/boot/ /  
zpool destroy bootpool  
gpart delete -i 2 ada0 #Remove zfs-boot partition  

Good Luck and have fun!
I tested on a virtualbox

Credit goes to Allan Jude and his persistance in implementing the bootcode.
Allan Jude - AsiaBSDCon2016_geliboot.pdf

comments powered by Disqus