Support #799

Dual Boot Windows 10 and PCBSD With GELI Encrypted ZFS Root

Added by Daniel Curtis over 4 years ago. Updated over 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
3.00 h
Spent time:


This is a guide on how I set up my laptop to dual boot Windows 10 and PCBSD with a GELI encrpyted ZFS root on a Dell Inspiron 15-3521 UEFI based system.

The setup uses Windows 10 as the primary OS, but the PCBSD partition will booted from a USB flash drive. This guide assumes that the Windows 10 partition has been installed and adequately shrunk.

  • When the PCBSD Installation message appears, choose Text Install / Emergency Console.
  • Select Utility then Shell.
  • Get a list of available drives:
    camcontrol devlist
    • Example output:
      <VB0250EAVER HPG9>                 at scbus0 target 0 lun 0 (pass0,ada0)
      <Sony USB Stick>                   at scbus6 target 0 lun 0 (pass4,da0)


  • Create the swap slice:
    gpart add -s 4G -t freebsd-swap -a 4k -l swap0 ada0
    • Example output:
      ada0p8 added
  • Encrypt the swap space:
    geli onetime -d -e AES-XTS -l 256 -s 4096 /dev/gpt/swap0

USB Bootloader

  • Create the boot partition and install the bootcode on the USB drive:
    gpart create -s gpt da0
    gpart add -l gptboot0 -s 512k -t freebsd-boot -a 4k da0
    gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 da0
    gpart set -a bootme -i 1 da0 
  • Create the ZFS bootpool on the USB drive and mount it:
    gpart add -l boot0 -t freebsd-zfs da0
    mkdir -p /tmp/mnt/bootpool
    zpool create -m none -o altroot=/tmp/mnt/bootpool bootpool /dev/gpt/boot0
    mkdir -p /tmp/mnt/bootpool/boot/zfs
    mount_nullfs /tmp/mnt/bootpool/boot/zfs /boot/zfs


  • Create the disk0 slice:
    gpart add -t freebsd-zfs -a 4k -l disk0 ada0
    • Example output:
      ada0p9 added
  • Encrypt the OS slice:
    mkdir /tmp/mnt/bootpool/boot/metadata_backup
    geli init -b -s 4096 -e AES-XTS -l 256 -B /tmp/mnt/bootpool/boot/metadata_backup/ada0p9.eli /dev/ada0p9
    • NOTE: This will store a copy of the GELI metadata on the USB drive, in case bad things happen.
  • Attach the encrypted slice:
    geli attach /dev/ada0p9
  • Create the xpool ZFS pool on top of the GELI encrypted slice, then export it:
    mkdir -p /tmp/mnt/xpool
    zpool create -o altroot=/tmp/mnt/xpool -o cachefile=/tmp/zpool.cache -m none -f xpool /dev/ada0p9.eli 
    zpool export xpool
  • Next import the xpool ZFS pool and create the root dataset and settings:
    zpool import -o altroot=/tmp/mnt/xpool -o cachefile=/tmp/zpool.cache xpool
    zpool set bootfs=xpool xpool
    zfs set checksum=fletcher4 xpool
    zfs set atime=off xpool
    zfs create xpool/ROOT
    zfs set mountpoint=/ xpool/ROOT
    • Then create some additional system datasets:
      zfs create -o canmount=off xpool/ROOT/usr 
      zfs create -o canmount=off xpool/ROOT/var 
      zfs create -o compression=on   -o exec=on  -o setuid=off xpool/ROOT/tmp 
      zfs create -o compression=gzip -o setuid=off  xpool/ROOT/usr/ports 
      zfs create -o compression=off  -o exec=off -o setuid=off xpool/ROOT/usr/ports/distfiles 
      zfs create -o compression=off  -o exec=off -o setuid=off xpool/ROOT/usr/ports/packages 
      zfs create -o compression=gzip -o exec=off -o setuid=off  xpool/ROOT/usr/src 
      zfs create -o compression=lzjb xpool/ROOT/usr/obj
      zfs create -o compression=lzjb -o exec=off -o setuid=off xpool/ROOT/var/crash 
      zfs create -o compression=off  -o exec=off -o setuid=off xpool/ROOT/var/empty 
      zfs create -o compression=lzjb -o exec=on  -o setuid=off xpool/ROOT/var/tmp 
  • Set the permissions of the temp directories in the zfs mount:
    chmod 1777 /tmp/mnt/xpool/tmp 
    chmod 1777 /tmp/mnt/xpool/var/tmp 
  • Remount the bootpool:
    umount /boot/zfs
    mkdir /tmp/mnt/xpool/bootpool
    zfs set mountpoint=/tmp/mnt/xpool/bootpool bootpool
    zpool export bootpool
    zpool import bootpool
    mkdir -p /tmp/mnt/xpool/bootpool/boot/zfs
    mount_nullfs /tmp/mnt/xpool/bootpool/boot/zfs /boot/zfs
  • Extract the base.txz and kernel.txz to the zfs root to install the base system:
    cat /dist/base.txz | tar --unlink -xpJf - -C /tmp/mnt/xpool
    cat /dist/kernel.txz | tar --unlink -xpJf - -C /tmp/mnt/xpool

Post-Installation Setup

  • Chroot into the xpool:
    chroot /tmp/mnt/xpool
  • Copy the install bootload files over to the bootpool, then create a /boot symlink:
    cd /
    rm -r boot/zfs
    mv boot/* bootpool/boot/
    rm -r boot
    ln -sf bootpool/boot
  • Create an fstab file:
    vi /etc/fstab
    • And add the swap partition definition:
      /dev/ada0p8.eli        none    swap    sw    0   0
  • Add the initial system configuration:
    echo 'zfs_enable="YES"' >> /etc/rc.conf 
    echo 'sshd_enable="YES"' >> /etc/rc.conf 
    echo 'hostname=""' >> /etc/rc.conf
  • Add the bootloader config:
    echo 'geom_eli_load="YES"' >> /boot/loader.conf
    echo 'zfs_load="YES"' >> /boot/loader.conf 
    echo 'vfs.root.mountfrom="zfs:xpool/ROOT"' >> /boot/loader.conf
    echo 'zpool_cache_load="YES"' >> /boot/loader.conf
    echo 'zpool_cache_type="/boot/zfs/zpool.cache"' >> /boot/loader.conf
    echo 'zpool_cache_name="/boot/zfs/zpool.cache"' >> /boot/loader.conf


  • Show what network interfaces are available:
    • NOTE: This guide uses em0 for the ethernet interface and ath0 as the wireless interface.


  • Add the em interface driver to the bootloader config:
    echo 'if_em_load="YES"' >> /boot/loader.conf
  • Setup ethernet networking using DHCP:
    echo 'ifconfig_em0="DHCP"' >> /etc/rc.conf
    echo 'hostname=""' >> /etc/rc.conf
  • (Optional) Setup networking using a static IP address instead:
    echo 'ifconfig_em0="inet netmask broadcast"' >> /etc/rc.conf 
    echo 'defaultrouter=""' >> /etc/rc.conf 
    echo 'hostname=""' >> /etc/rc.conf
    echo 'nameserver' >> /etc/resolv.conf


  • Add the ath interface driver and the wireless cryptographic modules to the bootloader config:
    echo 'if_ath_load="YES"' >> /boot/loader.conf
    echo 'wlan_ccmp_load="YES"' >> /boot/loader.conf
    echo 'wlan_tkip_load="YES"' >> /boot/loader.conf
  • Setup wireless networking using WPA and DHCP:
    echo 'wlans_ath0="wlan0"' >> /etc/rc.conf
    echo 'ifconfig_wlan0="WPA SYNCDHCP"' >> /etc/rc.conf
  • Create a wpa_supplicant.conf file:
    vi /etc/wpa_supplicant.conf
    • And add the following, modifying accordingly:
  • Then restart the network interface service:
    service netif restart

Finish the Installation

  • Exit from the chroot environment:
  • Setup the ZFS mountpoints
    zfs set mountpoint=legacy xpool/ROOT
    zfs set mountpoint=/tmp xpool/tmp
    zfs set mountpoint=/usr xpool/usr
    zfs set mountpoint=/var xpool/var
    zfs set mountpoint=/bootpool bootpool
  • Unmount the filesystems:
    umount /boot/zfs
    zfs unmount -a
    zpool export xpool
    zpool export bootpool
  • Reboot the system and eject the FreeBSD install disc:


  • Then, disable the FreeBSD package repository:
    mv /etc/pkg/FreeBSD.conf /root/FreeBSD.conf-old
  • Create the pkg repos directory:
    mkdir -p /usr/local/etc/pkg/repos
  • Then, create the PCBSD repo file:
    vi /usr/local/etc/pkg/repos/pcbsd.conf
    • And add the following:
      pcbsd: {
             url: "",
             signature_type: "fingerprints",
             fingerprints: "/usr/local/etc/pkg/fingerprints/pcbsd",
             enabled: true
  • Next, create the pkg fingerprints directories:
    mkdir -p /usr/local/etc/pkg/fingerprints/pcbsd/{revoked,trusted}
  • Then, download the PCBSD repository fingerprint file:
    cd /usr/local/etc/pkg/fingerprints/pcbsd/trusted/
  • Update the package database and any installed packages:
    pkg update
    pkg upgrade -fy
  • Once the repository configuration is complete install the base components:
    fetch --no-verify-peer -o /etc/freebsd-update.conf ''
    freebsd-update fetch
    freebsd-update install
  • Then setup the installation to be a PC-BSD desktop
    pkg install -fy pcbsd-base
    pbreg set /PC-BSD/SysType PCBSD
    pc-extractoverlay ports
    pc-extractoverlay desktop

Setup Desktop Environment

  • Install the xfce desktop environment:
    pkg install pcbsd-meta-xfce
  • Set the first boot scripts to run:
    sh /usr/local/share/pcbsd/scripts/ desktop en_US
    touch /var/.runxsetup
    touch /var/.pcbsd-firstboot
    touch /var/.pcbsd-firstgui

NOTE: If you are using NVIDIA video hardware, load the driver before rebooting into the display wizard:

pkg install pcbsd-meta-nvidia



#1 Updated by Daniel Curtis over 4 years ago

  • Category set to Workstation
  • Assignee set to Daniel Curtis
  • Target version set to PCBSD
  • Start date changed from 04/15/2016 to 04/17/2016
  • % Done changed from 0 to 20
  • Estimated time set to 3.00

#2 Updated by Daniel Curtis over 4 years ago

  • Description updated (diff)
  • Status changed from New to In Progress
  • % Done changed from 20 to 50

#3 Updated by Daniel Curtis over 4 years ago

  • Description updated (diff)

#4 Updated by Daniel Curtis over 4 years ago

  • Description updated (diff)

#5 Updated by Daniel Curtis over 4 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100

#6 Updated by Daniel Curtis over 4 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF