NetBSD Installation with Disk Encryption

Sun, 12 Apr 2026 00:00:00 +0000

The first time I installed NetBSD</a> I used sysinst(8)</a>, a menu-based program launched at boot that runs in the console. It has a clear and concise layout and I was quickly up-and-running on my new BSD</a> system.

For my next install I wanted to include disk encryption to protect personal data in case the device is lost or stolen. Its not really enough to simply encrypt home directories. Passphrases and sensitive data can linger and be extracted from locations such as system logs and swap memory. There is a trade-off to be made between how much to encrypt, the convenience of operating the system, and the ability for the system to boot.

1. Start Here</a>

Acquire an installation image</a></li>
Prepare the USB installation medium</a></li> </ul> </li>
2. Configure the Live Environment</a>

Connect to the internet</a></li>
Remote login to the installer</a></li> </ul> </li>
3. Prepare the DISK</a>

Identify disks and partitions</a></li>
Define DISK variable</a></li>
Wipe DISK</a></li>
Partition DISK</a></li>
Define wedge variables</a></li>
Format and mount the ESP wedge</a></li>
Add EFI boot entries to ESP</a></li>
Format and mount the root wedge</a></li> </ul> </li>
4. Disk Encryption</a>

Create encrypted device</a></li>
Create disklabels</a></li>
Verify encrypted device</a></li>
Format and mount disklabels</a></li> </ul> </li>
5. Installation</a></li>
6. Configure the System</a>

Chroot</a></li>
Directories</a></li>
Devices</a></li>
Root password</a></li>
Superuser</a></li>
Fstab</a></li>
Startup</a></li>
Keyboard</a></li>
Timezone</a></li>
Network interface</a></li>
Terminals</a></li> </ul> </li>
7. Finish Up</a></li>
8. Resources</a></li> </ul>

1. Start Here</h2>
Throughout this HOWTO, if you see square brackets []</code> in code blocks, that means the word of code (square brackets included) should be replaced with something else. This is detailed in the instructions before or after the code block.
NetBSD will be installed as the sole operating system on a single disk using a four-partition layout:
Partition ESP</code> is the EFI system partition.</li> Partition root</code> hosts a minimal root filesystem that boots to an encryption passphrase prompt, which upon entry unlocks…</li> … the encrypted device on partition syscgd</code> containing the contents of var</code>, usr</code>, and home</code>.</li>
Partition swap</code> is swap memory auto-encrypted at boot using a random key.</li> </ul> A few assumptions:Target device is amd64</code> architecture using UEFI to boot.</li> Secure boot is disabled on target device.</li> Network access during install uses a wired interface.</li> </ul> Sysinst does not provide the option for encrypting the system in this manner, so early in the install process I switch to the console and proceed to manually install NetBSD. Acquire an installation image</h3> The latest official installation images (as of April 2026) are available here: Images and torrents</a> Download the NetBSD-11.0_RC3-amd64-install.img.gz</code> image and the SHA512</code> file for verification: wget https://cdn.netbsd.org/pub/NetBSD/images/11.0_RC3/NetBSD-11.0_RC3-amd64-install.img.gz wget https://cdn.netbsd.org/pub/NetBSD/images/11.0_RC3/SHA512 </code></pre> Verify the image using sha512sum</code>: sha512sum -c --ignore-missing SHA512 </code></pre> Decompress the image: gunzip NetBSD-11.0_RC3-amd64-install.img.gz </code></pre> Prepare the USB installation medium</h3> Write the installer to an unmounted USB storage device running the dd(1)</a> command as root</code>. WARNING Be very careful to note the proper device (which can be identified with lsblk</code>). All contents on the device will be lost! Example: On a Linux system, if a USB stick appears as sdx1</code>, then write the installer to sdx</code> (omit partition number): dd bs=4M conv=fsync oflag=direct status=progress if=NetBSD-11.0_RC3-amd64-install.img of=/dev/sdx </code></pre> 2. Configure the Live Environment</h2> Boot the target device from the NetBSD installation medium. Select Option 1</code> (default) to Install NetBSD</code>. After the installer has successfully booted into the NetBSD kernel, a prompt appears to select which language will be used for installation messages, followed by a prompt to select a different keyboard type if desired or leave unchanged. Next up the menu-based sysinst program is launched: NetBSD-11.0_RC3 Install System >a: Install NetBSD to hard disk b: Upgrade NetBSD on a hard disk c: Re-install sets or install additional sets d: Reboot the computer e: Utility menu f: Config menu x: Exit Install System </code></pre> Connect to the internet</h3> At the Install System</code> main menu, select >e: Utility menu</code> then >c: Configure network</code>. Available interfaces</code> lists the network interfaces detected by the NetBSD installer. Example: With my target device Available interfaces</code> lists two: wm0</code> (wired) and iwn0</code> (wireless). I choose to configure the wired ethernet interface: Network media (empty to autoconfigure) [autoselect]: <enter> Perform autoconfiguration? >a: Yes Your host name: foobox Your DNS domain: home.arpa The following are the values you entered. [...] Are they OK? >a: Yes </code></pre> Remote login to the installer</h3> Make this manual installation process easier (i.e. cut-n-paste commands) by remotely logging into the installer via ssh</code> from another computer. Open a shell by selecting >a: Run /bin/sh</code> from the Utilities</code> menu. Set a password for root</code>: passwd </code></pre> Open the sshd_config</code> file for editing using the vi</code> editor: vi /etc/ssh/sshd_config </code></pre> Set permission to allow root</code> to login: PermitRootLogin yes </code></pre> Save changes and exit. Start the sshd</code> daemon: /etc/rc.d/sshd onestart </code></pre> Retrieve the IP address for the active interface configured earlier (example: wm0</code>): ifconfig wm0 </code></pre> Switch to the other computer and ssh</code> into the target device: ssh root@[ip_address] </code></pre> … where [ip_address]</code> is the target device’s address obtained with the ifconfig</code> command above. 3. Prepare the DISK</h2> NOTE For the purposes of this HOWTO, the example target device has a single NVMe disk with an existing install of Linux</a> that will be erased and replaced by NetBSD. Device IDs and storage sizes will vary between devices. Identify disks and partitions</h3> Discover what disk devices and partitions have been recognized by the kernel: # sysctl hw.disknames hw.disknames = ld0 dk0 dk1 dk2 dk3 sd0 dk4 dk5 </code></pre> NVMe devices show up as ld</code> and hard disks are identified by wd</code>. USB devices usually show up as sd</code>. The dk</code> devices are partitions (know as wedges in NetBSD parlance) on the storage devices, and this early after boot are usually displayed in order, that is: dk0</code> through dk3</code> are wedges on the NVMe target device ld0</code>, and dk4</code> and dk5</code> on the USB installer sd0</code>. Verify by asking for a list of wedges on sd0</code>: # dkctl sd0 listwedges /dev/rsd0: 2 wedges: dk4: EFI system, 262144 blocks at 2048, type: msdos dk5: 30c4cc4e-5369-449c-8994-a4b1ea665b4b, 4853760 blocks at 264192, type: ffs </code></pre> Verify which device the installer booted from: # dmesg | fgrep "root on" [ 4.158650] root on dk5 </code></pre> There is also the nvmectl</code> command (use atactl</code> for SATA drives): # nvmectl identify nvme0 | egrep 'Model|Device type|Capacity' Model Number: Samsung SSD 980 1TB </code></pre> Define DISK variable</h3> The NVMe storage device detected above as ld0</code> is where NetBSD will be installed. Adjust accordingly for your own storage device: DISK="ld0" </code></pre> Wipe DISK</h3> Wipe existing file systems and partition table on DISK: gpt destroy $DISK && gpt show $DISK </code></pre> Partition DISK</h3> NOTE I typically set the swap partition size equal to the amount of physical RAM to a maximum 16g</code>. Create a GPT partition table on DISK with the following layout: Number</th> Size</th> Type</th> Use as</th></tr></thead> 1</td> 550m</td> efi</td> ESP partition</td></tr> 2</td> 6g</td> ffs</td> Root partition</td></tr> 3</td> 16g</td> swap</td> Encrypted swap partition</td></tr> 4</td> ->END</td> cgd</td> Encrypted system partition</td></tr> </tbody></table> Create a new GPT partition table: gpt create -f $DISK </code></pre> Create the wedges: gpt add -l "ESP" -t efi -s 550m $DISK gpt add -l "root" -t ffs -s 6g $DISK gpt add -l "swap" -t swap -s 16g $DISK gpt add -l "syscgd" -t cgd $DISK gpt show $DISK </code></pre> Define wedge variables</h3> List wedges: # dkctl $DISK listwedges /dev/rld0: 4 wedges: dk2: ESP, 524288 blocks at 34, type: msdos dk3: root, 16777216 blocks at 524322, type: ffs dk4: swap, 33554432 blocks at 17301538, type: swap dk5: syscgd, 1902669165 blocks at 50855970, type: cgd </code></pre> NOTE Your dk[number]</code> numbering may differ from above. Adjust accordingly: Define variables: DK_ESP="dk2" DK_ROOT="dk3" </code></pre> Format and mount the ESP wedge</h3> newfs_msdos /dev/r${DK_ESP} && mount /dev/${DK_ESP} /mnt </code></pre> Add EFI boot entries to ESP</h3> mkdir -p /mnt/EFI/boot && cp -v /usr/mdec/*.efi /mnt/EFI/boot </code></pre> Unmount wedge: umount /mnt </code></pre> Format and mount the root wedge</h3> Format and mount the root wedge with the FFSv2</code> file system with support for extended attributes and access control lists: newfs -O 2ea /dev/r${DK_ROOT} && mount /dev/${DK_ROOT} /targetroot </code></pre> 4. Disk Encryption</h2> NetBSD uses the cryptographic device driver</a> (CGD) to create and manage encrypted devices. Create encrypted device</h3> Using cgdconfig</code>, a parameters file is generated that stores the encryption type, key length, and a random password salt for the new encrypted device. There are a few different encryption ciphers supported</a>. I choose aes-xts</code> with a 512-bit key: mkdir -p /targetroot/etc/cgd && chmod 700 /targetroot/etc/cgd cgdconfig -g -V disklabel -o /targetroot/etc/cgd/syscgd aes-xts 512 </code></pre> NOTE NAME=syscgd</code> is the label for the CGD wedge created earlier. Create the encrypted device and assign it a passphrase. This passphrase will be used to open the CGD device at boot: cgdconfig -V re-enter cgd0 NAME=syscgd /targetroot/etc/cgd/syscgd </code></pre> Create disklabels</h3> NOTE Disklabels c</code> and d</code> have special meaning in NetBSD</a> and should not be used. Within the encrypted device, three disklabels are created: Disklabel</th> Mountpoint</th> Size</th></tr></thead> cgd0a</td> /var</td> 8GB</td></tr> cgd0b</td> /usr</td> 48GB</td></tr> cgd0e</td> /home</td> ->END</td></tr> </tbody></table> Create the labels using disklabel</code> in interactive mode: # disklabel -Ii cgd0 Enter '?' for help ... </code></pre> Create cgd0a</code>: partition>a Filesystem type [4.2BSD]: <enter> Start offset ('x' to start after partition 'x') [0c, 0s, 0M]: <enter> Partition size ('$' for all remaining) [947594c, 1940672512s, 947594M]: 8G a: ... </code></pre> Create cgd0b</code>: partition>b Filesystem type [unused]: 4.2BSD Start offset ('x' to start after partition 'x') [0c, 0s, 0M]: a Partition size ('$' for all remaining) [0c, 0s, 0M]: 48G b: ... </code></pre> Create cgd0e</code>: partition>e Filesystem type [unused]: 4.2BSD Start offset ('x' to start after partition 'x') [0c, 0s, 0M]: b Partition size ('$' for all remaining) [0c, 0s, 0M]: $ e: ... </code></pre> Write the label and quit: partition>W Label disk [n]?y Label written partition>Q </code></pre> Verify encrypted device</h3> Set configuration in target device: echo 'cgd0 NAME=syscgd /etc/cgd/syscgd' > /targetroot/etc/cgd/cgd.conf </code></pre> Close the CGD device: cgdconfig -u cgd0 </code></pre> Unlock the CGD device again with the passphrase set earlier: cgdconfig cgd0 NAME=syscgd /targetroot/etc/cgd/syscgd </code></pre> The cgd0</code> drive should now be open and the disklabel visible: disklabel cgd0 </code></pre> Format and mount disklabels</h3> Format: newfs -O 2ea cgd0a newfs -O 2ea cgd0b newfs -O 2ea cgd0e </code></pre> Mount: mkdir /targetroot/var /targetroot/usr /targetroot/home mount /dev/cgd0a /targetroot/var mount /dev/cgd0b /targetroot/usr mount /dev/cgd0e /targetroot/home </code></pre> 5. Installation</h2> The new system is composed of sets (collections of packages) installed to the target device. These sets are located in /amd64/binary/sets</code>. Move into that directory: cd /amd64/binary/sets && ls </code></pre> NOTE Adding flag p</code> to the tar</code> command is important. It ensures that all files preserve their owners</code> and mode</code>. At a minimum, you must select a kernel and the base</code> and etc</code> sets. Below are the sets I choose to install for a desktop setup: # for set in base comp etc games gpufw kern-GENERIC man misc modules rescue tests text xbase xcomp xetc xfont xserver; do > tar -xvzpf $set.tar.xz -C /targetroot > done </code></pre> 6. Configure the System</h2> Chroot into the freshly installed NetBSD and configure the new OS. Chroot</h3> chroot /targetroot </code></pre> Directories</h3> Create the kern</code> and proc</code> directories: mkdir kern proc </code></pre> Devices</h3> cd dev sh MAKEDEV all </code></pre> On a previous install, after rebooting the boot process halted with the error message: /etc/defaults/rc.conf: cannot create /dev/null: read-only file system /etc/rc: cannot create /dev/null: read-only file system </code></pre> MAKEDEV</code> had created null</code> but it was incorrectly configured: # ls -l /dev/null -rw-r--r-- 1 root wheel 0 Apr 5 13:06 null </code></pre> To avoid this error, remove the existing null</code>: rm /dev/null </code></pre> Re-create null</code> with mknod</code>: # mknod -m 0666 -u root -g wheel /dev/null c 2 2 && ls -l /dev/null crw-rw-rw- 1 root wheel 2, 2 Apr 11 13:10 /dev/null </code></pre> Root password</h3> passwd </code></pre> Superuser</h3> Create a user account assigned to the wheel</code> and operator</code> groups: useradd -G [groups] -m [username] </code></pre> Example: Create an account for user foo</code> and assign a password: useradd -G wheel,operator -m foo passwd foo userinfo foo </code></pre> Fstab</h3> # cat > /etc/fstab << EOF NAME=root / ffs rw,log,noatime 1 1 NAME=swap none swap sw,dp 0 0 tmpfs /tmp tmpfs rw,-m1777,-sram%25 kernfs /kern kernfs rw ptyfs /dev/pts ptyfs rw procfs /proc procfs rw tmpfs /var/shm tmpfs rw,-m1777,-sram%25 /dev/cgd0a /var ffs rw,log,noatime 1 2 /dev/cgd0b /usr ffs rw,log,noatime 1 2 /dev/cgd0e /home ffs rw,log,noatime 1 2 EOF </code></pre> Startup</h3> Open rc.conf</code> for editing: vi /etc/rc.conf </code></pre> NOTE In this HOWTO, my hostname was earlier set to foobox.home.arpa</code> during network setup, and my wired interface is wm0</code>. Adjust accordingly: # If this is not set to YES, the system will drop into single-user mode. # rc_configured=YES # Add local overrides below. # # Wait for CGD to be unlocked before mounting. critical_filesystems_local="OPTIONAL:/var OPTIONAL:/usr" dhcpcd=YES dhcpcd_flags="-qM wm0" hostname=foobox.home.arpa sshd=YES ntpd=YES ntpdate=YES wscons=YES cgd=YES </code></pre> Save changes and exit. NOTE Any Error: /dev/ttyp0: No such file or directory</code> messages can be safely ignored. Keyboard</h3> A full list of keyboard mappings and variants can be found in wskbd(4)</a>. Set encoding [type_of_keyboard]</code> in wscons.conf</code>. Open file for editing: vi /etc/wscons.conf </code></pre> Example: I use the non-default colemak</code> keymap: encoding us.colemak </code></pre> Save changes and exit. Timezone</h3> Create a symlink to the appropriate timezone for your localtime</code>: ln -sf /usr/share/zoneinfo/[region/<city_or_sub-region] /etc/localtime </code></pre> Example: Set localtime</code> to Canada/Eastern</code>: ln -sf /usr/share/zoneinfo/Canada/Eastern /etc/localtime && date </code></pre> Network interface</h3> ifconfig.if(5)</a> contains the configuration details for each network interface. Example: Create an interface file for the wm0</code> interface that is assigned an IP address via DHCP: # cat > /etc/ifconfig.wm0 << EOF up media autoselect EOF </code></pre> Terminals</h3> Set the status of terminals ttyE1-ttyE3</code> in ttys</code> from off</code> to on</code>. Open file for editing: vi /etc/ttys </code></pre> This is how it should look: # name getty type status comments # console "/usr/libexec/getty Pc" wsvt25 off secure constty "/usr/libexec/getty Pc" wsvt25 on secure ttyE0 "/usr/libexec/getty Pc" wsvt25 off secure ttyE1 "/usr/libexec/getty Pc" wsvt25 on secure ttyE2 "/usr/libexec/getty Pc" wsvt25 on secure ttyE3 "/usr/libexec/getty Pc" wsvt25 on secure </code></pre> Save changes and exit. 7. Finish Up</h2> Exit chroot: exit cd / </code></pre> Unmount: umount /targetroot/home umount /targetroot/usr umount /targetroot/var umount /targetroot </code></pre> Close encrypted device: cgdconfig -u cgd0 </code></pre> Reboot system: shutdown -r now </code></pre> NOTE When prompted for the passphrase to unlock the encrypted device, keymap is us qwerty</code> regardless of keymap that might have been set in wscons.conf</code>. User is prompted for the passphrase to unlock the encrypted syscgd</code> device. Upon success, boot resumes: NetBSD/amd64 (foobox.home.arpa) (constty) login: root Password: </code></pre> Welcome to NetBSD! To shutdown/poweroff the system: shutdown -p now </code></pre> 8. Resources</h2> This HOWTO posted by vsis</a> was crucial in getting my own system configured with encryption: NetBSD - UEFI installation with Full Disk Encryption</a></li> Alternative approach for disk encryption using a ramdisk on BIOS boot systems: NetBSD Full-Disk Encryption with CGD (BIOS/GPT)</a></li> NetBSD INSTALL: Installation procedure for NetBSD/amd64</a></li> NetBSD Wiki: Installing NetBSD on a x86 system with UEFI</a></li> NetBSD Guide: Chapter 14. The cryptographic device driver (CGD)</a></li> Suggested tools for inspecting disks: Disk management from Installation ISO</a></li> Skipping sysinst install for a more “hands-on” approach: Manual NetBSD install on GPT/UEFI</a></li> Swap encryption is now automatic using the vm.swap_encrypt=1</code> sysctl(8)</a> variable: Announcing NetBSD 10.0</a></li> </ul> Next: NetBSD: After the First Boot (TODO) You can like, share, or comment on this post on the Fediverse</a> 💬 Configure SSH on NetBSD for Passwordless Logins to Servers Mon, 06 Apr 2026 00:00:00 +0000 Disable password logins on the BSD or Linux SERVER in favour of using SSH keys for authentication. Create the necessary SSH keys on a NetBSD CLIENT that will be used to secure access to remote devices. 1. Start Here</a></li> 2. Create Public and Private Keys</a></li> 3. Share Public Key</a></li> 4. Disable Password Logins</a></li> 5. Create an Alias</a></li> 6. Keychain</a></li> </ul> 1. Start Here</h2> On BOTH the CLIENT and the SERVER</h3> Create the .ssh</code> directory and authorized_keys</code> file in $HOME</code>: mkdir ~/.ssh && touch ~/.ssh/authorized_keys chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys </code></pre> 2. Create Public and Private Keys</h2> On the CLIENT</h3> Create the SSH public/private key pair protected with a passphrase: ssh-keygen -t ed25519 -C "$(whoami)@$(hostname -s)-$(date +%Y-%m-%d)" </code></pre> Start ssh-agent</code>: eval "$(ssh-agent -s)" </code></pre> Add the newly-created SSH private key to the current session: ssh-add ~/.ssh/id_ed25519 </code></pre> Any SSH logins launched during the session will now access this key stored in memory. 3. Share Public Key</h2> On the CLIENT</h3> Upload the public key to the SERVER and append to the SERVER authorized_keys</code> file: ssh-copy-id -i ~/.ssh/id_ed25519.pub [remote_ip_address] </code></pre> Example: SERVER has a [remote_ip_address]</code> of 178.123.1.45</code>: ssh-copy-id -i ~/.ssh/id_ed25519.pub 178.123.1.45 </code></pre> Verify key-based authentication is configured correctly by successfully logging in using ssh</code> without a password: ssh -o PasswordAuthentication=no 178.123.1.45 </code></pre> 4. Disable Password Logins</h2> On the SERVER</h3> After verifying the SERVER can be accessed remotely using SSH keys, open sshd_config</code> for editing: doas vi /etc/ssh/sshd_config </code></pre> Disable password authentication with these modifications: PubkeyAuthentication yes PasswordAuthentication no KbdInteractiveAuthentication no </code></pre> As an additional security measure, change the port (by default port 22</code>) that SSH listens for connections. Changing this to a dynamic or private port</a> between 49152</code> through 65535</code> will frustrate automated attacks. Example: Modify the SERVER listening port from #Port 22</code> to Port 52222</code>: Port 52222 </code></pre> Save changes and exit. Reload SSH: On NetBSD and FreeBSD and servers:</li> </ul> doas service sshd reload </code></pre> On Linux servers using systemd</code>:</li> </ul> sudo systemctl reload ssh </code></pre> On the CLIENT</h3> While remaining logged into SERVER, open another terminal and verify the changes by attempting a new login using password authentication (which should fail): $ ssh -p 52222 -o PreferredAuthentications=password -o PubkeyAuthentication=no 178.123.1.45 <username>@178.123.1.45: Permission denied (publickey). </code></pre> Verify key-based authentication continues to work as before: ssh -p 52222 178.123.1.45 </code></pre> Device is now secured to accept only SSH key authentication for logins. 5. Create An Alias</h2> On the CLIENT</h3> Create an alias for the SERVER in the user’s ssh_config</code>: vi ~/.ssh/config </code></pre> Add an alias for SERVER named myserver</code>: Host myserver HostName 178.123.1.45 Port 52222 </code></pre> Save changes and exit. Now login to SERVER is simply: $ ssh myserver </code></pre> 6. Keychain</h2> On the CLIENT</h3> For CLIENT devices that are not running desktop environments with their own built-in ssh</code> key management, I like to install the keychain</a> package to manage my keys: doas pkgin install keychain </code></pre> When logging in for the first time after boot, it prompts me for the passphrase to unlock my key, then will maintain a single ssh-agent</code> process across multiple login sessions. Flush all cached keys from memory: keychain --clear </code></pre> NOTE I rename my keys from id_ed25519*</code> to the hostname of the device (hence the $(hostname -s)</code> below). If using sh</code> or bash</code> as SHELL, open .profile</code>: vi ~/.profile </code></pre> Add: # maintain a single ssh-agent process across multiple login sessions if command -v keychain 2>&1 >/dev/null then eval $(keychain --eval $(hostname -s)) fi </code></pre> Save changes and exit. You can like, share, or comment on this post on the Fediverse</a> 💬 Just Enough Chimera Linux Fri, 03 Apr 2026 00:00:00 +0000 Chimera Linux</a> is a delightful community-driven Linux distribution built from scratch that does things differently: musl</code> instead of the typical glibc</code> for C library, dinit</code> over systemd</code> for system init, and a userland derived from FreeBSD core tools. Using the Chimera base</code> install image and working my way through this excellent installation guide</a> for configuring Chimera with the OpenZFS filesystem and the ZFSBootMenu bootloader, I show the choices I make to create an encrypted, minimal Linux system with “just enough” to provide a solid foundation to build upon further: whether that be setting up a desktop, laptop, or server. 1. Start Here</a> Acquire an installation image</a></li> Prepare the USB installation medium</a></li> </ul> </li> 2. Configure the Live Environment</a> Set the console font</a></li> Set the console keyboard</a></li> Verify the boot mode</a></li> Connect to the internet</a></li> Remote login to the installer</a></li> Define ID variable</a></li> Generate hostid</a></li> </ul> </li> 3. Prepare the DISK</a> Define DISK variables</a></li> Wipe DISK</a></li> Partition DISK</a></li> </ul> </li> 4. ZFS Pool Creation</a> Create encryption keyfile</a></li> Create encrypted ZFS pool</a></li> Create ZFS datasets</a></li> Export and re-import pool for installation</a></li> </ul> </li> 5. Installation</a></li> 6. Configure the System</a> Chroot</a></li> Root password</a></li> Superuser</a></li> Package manager and extra packages</a></li> Console font</a></li> Console keyboard</a></li> Timezone</a></li> Hostname</a></li> Services</a></li> ESP partition</a></li> Initramfs</a></li> </ul> </li> 7. ZFSBootMenu</a> Boot properties</a></li> Prebuilt executable</a></li> EFI boot entries</a></li> </ul> </li> 8. Finish Up</a> Exit chroot, unmount, and export</a></li> Reboot</a></li> Zram swap</a></li> </ul> </li> 9. Resources</a></li> </ul> 1. Start Here</h2> Chimera Linux is installed as the sole operating system on a single disk using a two-partition layout: Partition pool</code> is formatted with the zfs</code> file system using native encryption.</li> Partition esp</code> serves as the EFI system partition and is formatted with the fat32</code> file system.</li> In lieu of creating a partition for swap</code>, the zram</code> kernel module is used to create a compressed block device in RAM to provide swap space.</li> </ul> A few assumptions: Target device is x86_64</code> architecture using UEFI to boot.</li> Secure boot is disabled on target device.</li> Network access during install uses a wired interface.</li> System does not require hibernation support.</li> </ul> Acquire an installation image</h3> The latest live ISO install images are available here: repo.chimera-linux.org</a> Download chimera-linux-x86_64-LIVE-[RELEASE]-base.iso</code>, the sha256sums.txt</code> file, then verify the image integrity: sha256sum -c --ignore-missing sha256sums.txt </code></pre> Prepare the USB installation medium</h3> Write the installer to an unmounted USB storage device running the dd</code> command as root. WARNING Be very careful to note the proper device (which can be identified with the lsblk</code> command). All contents on the device will be lost! Example: On a Linux system, if a USB stick appears as sdx1</code>, then write the installer to sdx</code> (omit partition number): dd bs=4M conv=fsync oflag=direct status=progress if=chimera-linux-x86_64-LIVE-[RELEASE]-base.iso of=/dev/sdx </code></pre> 2. Configure the Live Environment</h2> Boot the target device from the Chimera installation media. Login and password is root:chimera</code>. Set the console font</h3> If the existing font size appears too small, running: setfont -d </code></pre> … will double the size. Console fonts are located in /usr/share/consolefonts/</code> and a different font can be set with setfont</code> omitting the path and file extension. Set the console keyboard</h3> Default console keymap is us</code>. Available keymaps are listed in /usr/share/keymaps/</code>. If some other keymap is desired, set a different keymap temporarily with loadkeys</code>: loadkeys [keymap] </code></pre> …where [keymap]</code> is the desired keyboard layout. Example: I configure the system to use my preferred colemak</code> layout, which is available in /usr/share/keymaps/i386/colemak</code>: loadkeys colemak/en-latin9 </code></pre> Verify the boot mode</h3> Confirm target device is using UEFI boot mode: cat /sys/firmware/efi/fw_platform_size </code></pre> If the command returns 64</code>, then system is booted in UEFI with 64-bit x64 UEFI and we are good to go. NOTE If the file does not exist, the device is not using UEFI. Connect to the internet</h3> Wired network interfaces should be auto-enabled and connected at boot. Verify the network interface is active, has been assigned an address, and the internet is reachable: ip addr ping -c 5 chimera-linux.org </code></pre> Remote login to the installer</h3> Make this manual installation process easier (i.e. cut-n-paste commands) by remotely logging into the installer via ssh</code> from another computer. Start the sshd</code> daemon: dinitctl start sshd </code></pre> Switch to the other computer and ssh</code> into the target device as anon:chimera</code>: ssh anon@[ip_address] </code></pre> … where [ip_address]</code> is the target device’s address obtained with the ip addr</code> command above. Switch to root</code>: doas -s </code></pre> Define ID variable</h3> File /etc/os-release</code> defines variables that describe the current operating system. Use the $ID</code> variable to set the short name of the Linux distribution in later commands: . /etc/os-release && export ID && echo $ID </code></pre> Generate hostid</h3> Generate hostid</code> hexadecimal identifier for use by ZFSBootMenu: zgenhostid "$(hostid)" && hostid </code></pre> NOTE Musl doesn’t read /etc/hostid</code> and will always display 00000000</code>. Its not an issue. See this discussion</a>. 3. Prepare the DISK</h2> Setup a custom partition layout on a single disk before implementing the Chimera base installation. Install: apk update && apk add --no-interactive gptfdisk parted </code></pre> Define DISK variables</h3> Identify the disk where Chimera will be installed by listing block devices: lsblk -f </code></pre> Set DISK variables for either a SATA or NVMe disk: SATA</h4> Example disk: sda</code> export DISK="/dev/sda" export ESP_PART="1" export POOL_PART="2" export ESP_DEVICE="${DISK}${ESP_PART}" export POOL_DEVICE="${DISK}${POOL_PART}" echo $ESP_DEVICE && echo $POOL_DEVICE </code></pre> NVMe</h4> Example disk: nvme0n1</code> export DISK="/dev/nvme0n1" export ESP_PART="1" export POOL_PART="2" export ESP_DEVICE="${DISK}p${ESP_PART}" export POOL_DEVICE="${DISK}p${POOL_PART}" echo $ESP_DEVICE && echo $POOL_DEVICE </code></pre> Wipe DISK</h3> If there was previously a ZFS pool on DISK, run: zpool labelclear -f $DISK </code></pre> If DISK was previously configured with LVM, bring down the volume group: vgchange -an </code></pre> Wipe existing file systems and partition table on DISK: wipefs -af $DISK && sgdisk --zap-all --clear $DISK </code></pre> Notify the system of changes to the partition table: partprobe $DISK </code></pre> Partition DISK</h3> NOTE Many partitioning guides assign 256-512M of space to the EFI system partition. I like to future-proof the partition for whatever else Linux might want to store there by assigning a more generous 2G of space. Create a GPT partition table on DISK with the following layout: Number</th> Size</th> Code</th> Format</th> Use as</th> Mountpoint</th></tr></thead> 1</td> 2g</td> ef00</td> vfat</td> EFI system partition</td> /boot/efi</td></tr> 2</td> ->END</td> bf00</td> zfs</td> ZFS pool partition</td> /</td></tr> </tbody></table> Create the EFI system partition: sgdisk -n "${ESP_PART}:1m:+2g" -t "${ESP_PART}:ef00" -c 0:esp $DISK </code></pre> Create the ZFS pool partition: sgdisk -n "${POOL_PART}:0:0" -t "${POOL_PART}:bf00" -c 0:pool $DISK </code></pre> Display DISK layout: partprobe $DISK && sgdisk -p $DISK </code></pre> 4. ZFS Pool Creation</h2> When adding disks or partitions to ZFS pools, its good practice to refer to them by the symbolic links created in /dev/disk/by-partuuid</code> (UEFI) so that ZFS will identify the right devices even if disk naming should change at some point. Using traditional device nodes like /dev/sda2</code> may cause intermittent import failures. So I create a POOL_ID</code> variable: POOL_ID=/dev/disk/by-partuuid/$( blkid -s PARTUUID -o value $POOL_DEVICE ) </code></pre> Verify: ls -al /dev/disk/by-partuuid/ && echo "POOL_ID = $POOL_ID" </code></pre> Create encryption keyfile</h3> Store the encryption passphrase for the ZFS pool in a keyfile: echo 'SuperSecretPassphrase' > /etc/zfs/zroot.key chmod 000 /etc/zfs/zroot.key </code></pre> Create encrypted ZFS pool</h3> Create the pool with native encryption enabled: zpool create -f \ -o ashift=12 \ -o autotrim=on \ -o compatibility=openzfs-2.3-linux \ -O acltype=posixacl \ -O xattr=sa \ -O compression=lz4 \ -O encryption=aes-256-gcm \ -O keylocation=file:///etc/zfs/zroot.key \ -O keyformat=passphrase \ -O relatime=on \ -m none zroot "$POOL_ID" </code></pre> Create ZFS datasets</h3> NOTE It is necessary to explicitly set the canmount=noauto</code> on every boot environment you create. zfs create -o mountpoint=none zroot/ROOT zfs create -o mountpoint=/ -o canmount=noauto zroot/ROOT/${ID} </code></pre> Set the preferred boot file system: zpool set bootfs=zroot/ROOT/${ID} zroot </code></pre> I create an additional home</code> dataset for each system: zfs create zroot/ROOT/${ID}/home </code></pre> This allows me to keep user config files unique to each boot environment that I might create in the future. It also separates user data from system data, which is useful for ZFS snapshots and enables system rollbacks while leaving user data untouched. To share data between boot environments, I create a data</code> dataset to store common files: zfs create -o mountpoint=/data zroot/data </code></pre> Export and re-import pool for installation</h3> zpool export zroot zpool import -N -R /mnt zroot zfs load-key -L prompt zroot </code></pre> Mount datasets: zfs mount zroot/ROOT/${ID} zfs mount zroot/ROOT/${ID}/home zfs mount zroot/data </code></pre> Verify: # mount -t zfs zroot/ROOT/chimera on /mnt type zfs (rw,relatime,xattr,posixacl,casesensitive) zroot/ROOT/chimera/home on /mnt/home type zfs (rw,relatime,xattr,posixacl,casesensitive) root/data on /mnt/data type zfs (rw,relatime,xattr,posixacl,casesensitive) </code></pre> Update device symlinks: udevadm trigger </code></pre> 5. Installation</h2> Install the base-full</code> packages: chimera-bootstrap /mnt </code></pre> Copy files into the new operating system: cp /etc/hostid /mnt/etc/ mkdir /mnt/etc/zfs && cp /etc/zfs/zroot.key /mnt/etc/zfs/ </code></pre> 6. Configure the System</h2> Chroot into the freshly installed Chimera and configure the new OS. Chroot</h3> chimera-chroot /mnt </code></pre> Root password</h3> passwd </code></pre> Superuser</h3> Create a user account with superuser privileges: useradd -m -G wheel [username] </code></pre> … where [username]</code> is the desired name for the account. Set a password for [username]</code>: passwd [username] </code></pre> (Optional) Give root</code> access to [username]</code> with no password using the doas</code> command: echo 'permit nopass keepenv [username]' >> /etc/doas.conf </code></pre> Package manager and extra packages</h3> Add the user</code> subrepo and sync mirrors: apk add --no-interactive chimera-repo-user && apk update </code></pre> Identify the processor vendor: grep vendor_id /proc/cpuinfo </code></pre> Define a variable for an appropriate microcode package to load updates and security fixes: UCODE="[vendor]" </code></pre> … where [vendor]</code> for Intel processors is ucode-intel</code> and AMD processors is ucode-amd</code>. Install: apk add --no-interactive $UCODE linux-lts-zfs-bin curl efibootmgr font-terminus </code></pre> Console font</h3> NOTE For terminus</code> font settings, see /usr/share/consolefonts/README.Lat2-Terminus16</code> for details. Chimera uses the same console-setup</code> system as Debian. Example: Use TerminusBold</code> as the console font and increase font size by modifying /etc/default/console-setup</code>: ACTIVE_CONSOLES="/dev/tty[1-6]" CHARMAP="UTF-8" CODESET=guess FONTFACE=TerminusBold FONTSIZE=12x24 </code></pre> Console keyboard</h3> Default keyboard is us</code>. If a keymap alternative is desired, see keyboard(5)</code> for options. Example: I like to use the colemak</code> keymap (available in /usr/share/keymaps/i386/colemak</code>), which I set by modifying /etc/default/keyboard</code>: KMAP=colemak/en-latin9 XKBMODEL=pc105 XKBLAYOUT=us </code></pre> Timezone</h3> Timezones are located in /usr/share/zoneinfo/[Region]/[City]</code>, where [Region]</code> is the geographical region (Africa, America, Europe, …) and the [City]</code> within that region. Example: Create the /etc/localtime</code> symbolic link to the timezone where Toronto</code> is located: ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime && date </code></pre> Hostname</h3> Create the hostname</code> file: echo [hostname] > /etc/hostname </code></pre> … where [hostname]</code> is the desired name of the system (single word, no spaces): echo chimeralinux > /etc/hostname </code></pre> Services</h3> Links to services enabled by the admin are in /etc/dinit.d/boot.d/</code>. Default logging system on Chimera is syslog-ng</code>. Enable the service: dinitctl -o enable syslog-ng </code></pre> Logs are written to /var/log/messages</code>. You can configure wired networks statically or dynamically with dhcpcd</code>. Enable the service: dinitctl -o enable dhcpcd </code></pre> Default activity is for dhcpcd</code> to configure all interfaces with DHCP. Changes are made in /etc/dhcpcd.conf</code>. See dhcpcd.conf(5)</code> for more details. Enable the sshd</code> service to allow remote logins: dinitctl -o enable sshd </code></pre> ESP partition</h3> NOTE Labels on file systems are optional, but helpful. They allow for easy mounting without a UUID. Create a fat32</code> file system: mkfs.fat -n ESP -F 32 $ESP_DEVICE </code></pre> Mount device: mount --mkdir $ESP_DEVICE /boot/efi </code></pre> Add partition to fstab</code>: echo 'LABEL=ESP /boot/efi vfat defaults 0 0' >> /etc/fstab </code></pre> Initramfs</h3> Encryption key is stored in /etc/zfs</code> and will automatically be copied into the initramfs: mkdir -p /etc/initramfs-tools/conf.d echo 'UMASK=0077' > /etc/initramfs-tools/conf.d/umask.conf </code></pre> Rebuild: update-initramfs -u -k all </code></pre> 7. ZFSBootMenu</h2> Install this bootloader to support Root-on-ZFS boot environments on Linux. Boot properties</h3> Assign command-line arguments to be used when booting the kernel: zfs set org.zfsbootmenu:commandline="quiet" zroot/ROOT </code></pre> Configure key caching: zfs set org.zfsbootmenu:keysource="zroot/ROOT/${ID}" zroot </code></pre> Prebuilt executable</h3> Install a prebuilt ZFSBootMenu executable to the EFI system partition: mkdir -p /boot/efi/EFI/ZBM curl -o /boot/efi/EFI/ZBM/VMLINUZ.EFI -L https://get.zfsbootmenu.org/efi cp /boot/efi/EFI/ZBM/VMLINUZ.EFI /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI </code></pre> EFI boot entries</h3> efibootmgr -c -d "$DISK" -p "$ESP_PART" -L "ZFSBootMenu (Backup)" -l '\EFI\ZBM\VMLINUZ-BACKUP.EFI' efibootmgr -c -d "$DISK" -p "$ESP_PART" -L "ZFSBootMenu" -l '\EFI\ZBM\VMLINUZ.EFI' </code></pre> 8. Finish Up</h2> Exit chroot, unmount, and export</h3> Exit chroot: exit </code></pre> Unmount everything: umount /mnt/home && umount /mnt/data && umount /mnt/boot/efi && umount -n -R /mnt </code></pre> Export the zpool: zpool export zroot </code></pre> Reboot</h3> reboot </code></pre> NOTE When prompted for passphrase to unlock zpool, keymap is us</code> regardless of keymap that might have been set on system. User is prompted for the passphrase to unlock the encrypted root partition. Upon success, boot resumes: chimeralinux login: </code></pre> Welcome to Chimera! Zram swap</h3> Chimera uses dinit</code> for init which supports the management of zramN</code> devices. Load module: doas modprobe zram </code></pre> NOTE I set size = xG</code> to half of the system’s physical RAM. Create a configuration file for the zram0</code> device: doas tee /etc/dinit-zram.conf >/dev/null <<'EOF' [zram0] size = 4G algorithm = lz4 format = mkswap -U clear %0 EOF </code></pre> Add zram0</code> swap to fstab</code>: echo '/dev/zram0 none swap defaults 0 0' | doas tee -a /etc/fstab >/dev/null </code></pre> Enable the service: doas dinitctl enable zram-device@zram0 </code></pre> Activate the swap for the current session: doas swapon /dev/zram0 && zramctl </code></pre> 9. Resources</h2> ZFSBootMenu: Chimera Linux Guide</a></li> Chimera Linux: Installation Guide</a></li> OpenZFS Man Pages: zpoolprops.7</a> and zfsprops.7</a></li> Arch Linux Wiki: Persistent block device naming</a></li> Practical ZFS: Linux home directory on ZFS</a></li> Dinit-chimera: zram-support</a></li> </ul> Next: Chimera Linux: After the First Boot (TODO) You can like, share, or comment on this post on the Fediverse</a> 💬 FreeBSD: After the First Boot Thu, 19 Mar 2026 00:00:00 +0000 Part of the “FreeBSD on a Laptop”</a> series. After the first boot of my new FreeBSD installation</a>, these are some extra steps I like to make right away to get a system off to a good start! Package management</a></li> Set pkg manager to default to yes</a></li> Allow designated users to run commands as root</a></li> Use a larger font in console</a></li> Add user to additional groups</a></li> Alias for root mail</a></li> Switch user shell from sh to bash</a></li> Create SSH keys</a></li> Boot delay</a></li> Message of the day</a></li> Clear terminal at logout</a></li> </ul> Package management</h2> Package management is one area where the differences between the Linux philosophy and the BSD philosophy about how to build a system becomes apparent. Linux is an operating system kernel. Developers take this kernel and combine it with various independent software projects in a collection of packages that is released as a Linux distribution (Ubuntu, Debian</a>, Fedora, etc.). In contrast, each of the BSDs develop their own kernel and combine it with system components that are developed together “in-house” and released as a whole. The idea being that this approach leads to a more robust and tightly integrated core operating system. Third-party “userland” packages not included in the core may still be installed at the discretion of the user, with source code and binary packages provided from a ports repository. A major change in FreeBSD 15.0 is the introduction of a new method for installing and managing the core operating system using the pkg(8)</code> package manager. Currently marked as being a “technology preview”, the plan is it will become the default method for managing all base and userland binary packages on the system when FreeBSD 16.0 is released. When I ran my fresh install of FreeBSD, I opted to use this pkg</code> tool in combination with a network install, and the base system was installed as a set of packages from the “FreeBSD-base” repository. To keep packages up-to-date, compare installed packages to the versions in ports</code>, and generate a list of packages due for an upgrade, run the command: pkg upgrade </code></pre> To add a package: pkg install [package] </code></pre> One of the first packages I like to install on any BSD or Linux system is htop(1)</code>: pkg install htop </code></pre> More: FreeBSD Handbook - Installing Applications: Packages and Ports</a> Set pkg manager to default to yes</h2> From pkg.conf(5)</code>: > DEFAULT_ALWAYS_YES: boolean When this option is enabled pkg(1) will default to "yes" for all questions which require user confirmation before doing anything. Default: NO. </code></pre> Open the file for editing: vi /usr/local/etc/pkg.conf </code></pre> Change: #DEFAULT_ALWAYS_YES = false; </code></pre> … to: DEFAULT_ALWAYS_YES = true; </code></pre> Save changes and exit. Allow designated users to run commands as root</h2> A user account (example: foo</code>) was created during installation and assigned to the wheel</code> group. Install doas</code> to run root-level access commands, and allow members of wheel</code> to do so by default, by creating doas.conf</code>: pkg install doas echo "permit :wheel" > /usr/local/etc/doas.conf </code></pre> To allow user foo</code> to run commands as root without asking for a password: echo "permit nopass keepenv foo" >> /usr/local/etc/doas.conf </code></pre> Log out as root</code>, log back in as your user, and use doas</code> to run any commands that require root privileges. Use a larger font in console</h2> On some of the higher-resolution displays I find the default font size in the console pretty small. The base system includes a selection of console fonts in /usr/share/vt/fonts</code>. Try a different, larger font size: doas vidcontrol -f terminus-b32 </code></pre> Download (in raw</code> format) this nice selection of terminus fonts of different sizes</a>, converted for use in the FreeBSD console. Unpack the .txz</code> package and copy the fonts to /usr/share/vt/fonts</code>: tar xvf vt-font-terminus-*.txz && doas cp terminus-font/ter-u* /usr/share/vt/fonts/ </code></pre> Try different font sizes: doas vidcontrol -f ter-u22 </code></pre> Use sysrc</code> to make a selection permanent by modifying rc.conf</code>: doas sysrc allscreens_flags="-f ter-u22" </code></pre> More: Fix small font in FreeBSD</a> Add user to additional groups</h2> Add my user account created during installation to a group with the syntax: doas pw groupmod [group_name] -m [username] </code></pre> Example: Permit powering off the system as a non-root user using shutdown</code> by adding my user foo</code> to the operator</code> group: doas pw groupmod operator -m foo </code></pre> Alias for root mail</h2> Rather than login to root to collect system mail, I forward the root user’s mail to my non-root user’s inbox. Open the aliases</code> file for editing: doas vi /etc/aliases </code></pre> Modify: # root: me@my.domain </code></pre> … by uncommenting the line and replacing me@my.domain</code> with my foo</code> username: root: foo </code></pre> Save changes and exit. Let the MTA know about the modification by running the newaliases</code> command with no arguments: doas newaliases </code></pre> Test whether mail is indeed being forwarded by using the mail</code> command as my user to send root a message: $ mail root Subject: Test new alias Is it working? </code></pre> Press CTRL-d</code> to exit and send message. It works! $ mail Mail version 8.1 6/6/93. Type ? for help. "/var/mail/foo": 1 message 1 new >N 1 dwa@tukturjuit.home. Thu Mar 19 15:05 13/427 "Test new alias" </code></pre> More: How to Forward Root’s Mail</a> Switch user shell from sh to bash</h2> If a user account is created during the install of FreeBSD, the default shell assigned is sh</code>. I prefer bash</code>, which is not included in the base system: doas pkg install bash bash-completion </code></pre> List available shells: $ cat /etc/shells ... /bin/sh /bin/csh /bin/tcsh /usr/local/bin/bash /usr/local/bin/rbash </code></pre> Open .bashrc</code> for editing: vi ~/.bashrc </code></pre> Enable the bash completion library: [[ $PS1 && -f /usr/local/share/bash-completion/bash_completion.sh ]] && \ source /usr/local/share/bash-completion/bash_completion.sh </code></pre> Save changes and exit. Open .bash_profile</code> for editing: vi ~/.bash_profile </code></pre> Source .bashrc</code> on shell launch: . ~/.bashrc </code></pre> Save changes and exit. Make the switch from sh</code> to bash</code>: chsh -s /usr/local/bin/bash </code></pre> Log out and back in to start using the new shell. More: FreeBSD Handbook - Shells</a> Create SSH keys</h2> Create an SSH public/private key pair to facilitate passwordless logins to remote servers and (optional) configure remote access to the localhost. Read More</a> Boot delay</h2> By default the system will pause at the boot menu for 10 seconds. I shorten this to 3 seconds by setting: echo 'autoboot_delay="3"' | doas tee -a /boot/loader.conf </code></pre> Message of the day</h2> Quiet the “message of the day” (motd</code>) output after logging into the system by creating an empty .hushlogin</code> file: touch ~/.hushlogin </code></pre> Clear terminal at logout</h2> For the bash</code> shell, add to .bash_profile</code>: echo 'test -f ~/.exitrc && trap ". ~/.exitrc" EXIT' >> ~/.bash_profile </code></pre> Create .exitrc</code> with: echo "type clear >/dev/null 2>&1 && clear" > ~/.exitrc </code></pre> More: How to clear terminal after logging out?</a> You can like, share, or comment on this post on the Fediverse</a> 💬 Install FreeBSD (Short and Sweet Version) Tue, 17 Mar 2026 00:00:00 +0000 Part of the “FreeBSD on a Laptop”</a> series. The FreeBSD Handbook has an extensive chapter on installing FreeBSD</a> that covers a wide range of scenarios with descriptions of each possible choice. Its an invaluable resource maintained by volunteer contributors. After performing a few installs, these are my personal notes of steps taken and choices made. A “short and sweet” version of the above Handbook. 1. Start Here</a> Acquire an installation image</a></li> Prepare the USB installation medium</a></li> </ul> </li> 2. Installation</a> Steps</a></li> </ul> </li> </ul> 1. Start Here</h2> Throughout this guide, if you see square brackets []</code> in code blocks, that means the word of code (square brackets included) should be replaced with something else. This is detailed in the instructions before or after the code block. FreeBSD will be installed as the sole operating system on a single disk using the ZFS</code> file system with encryption. A few assumptions: Target device is amd64</code> architecture using UEFI to boot.</li> Network access during install uses a wired interface</li> </ul> Acquire an installation image</h3> As of March 2026 the latest release is FreeBSD 15.0-RELEASE</a>. Download FreeBSD-15.0-RELEASE-amd64-memstick.img</code> and the CHECKSUM</code> file for verification: wget https://download.freebsd.org/releases/amd64/amd64/ISO-IMAGES/15.0/FreeBSD-15.0-RELEASE-amd64-memstick.img wget https://download.freebsd.org/releases/amd64/amd64/ISO-IMAGES/15.0/CHECKSUM.SHA512-FreeBSD-15.0-RELEASE-amd64 </code></pre> Verify the integrity of the image by running: sha512sum -c --ignore-missing CHECKSUM.SHA512-FreeBSD-15.0-RELEASE-amd64 </code></pre> Prepare the USB installation medium</h3> Write the installer to an unmounted USB storage device running the dd</code> command as root. WARNING Be very careful to note the proper device (which can be identified with lsblk</code>). All contents on the device will be lost! Example: On a Linux system, if a USB stick appears as sdx1</code>, then write the installer to sdx</code> (omit partition number): dd bs=4M conv=fsync oflag=direct status=progress if=FreeBSD-15.0-RELEASE-amd64-memstick.img of=/dev/sdx </code></pre> 2. Installation</h2> Boot target device from the install media. In the FreeBSD Boot Menu press <Enter></code> to launch the installer. Steps</h3> Welcome: Install</code></li> Keymap Selection: Default is standard US</code> keyboard map. Press <enter></code> to continue or select an alternative from the list.</li> Set Hostname: [new_name_for_device].home.arpa</code> # example: foobox.home.arpa</code></li> Set Installation Type: Packages (Tech Preview)</code></li> Network or Offline Installation: Network</code></li> Network Configuration: [ethernet interface]</code> and Auto</code> # example: Intel network device em0</code></li> Partitioning: Auto (ZFS) Guided Root-on-ZFS</code></li> ZFS Configuration: Pool Type/Disks: stripe: 1 disk</code> # [*] ada0</code> for SATA and [*] nda0</code> for NVME</li> Pool Name zroot</code></li> Force 4K Sectors? YES</code></li> Encrypt Disks? YES</code></li> Partition Scheme? GPT (UEFI)</code></li> Swap Size 16g</code></li> Mirror Swap? NO</code></li> Encrypt Swap? YES</code></li> Select >>> Install Proceed with Installation</code></li> Select YES</code> to destroy current contents of target disk</li> Enter encryption passphrase. Retype to confirm.</li> </ul> </li> Select System Components: [x] base</code></li> [*] kernel-dbg</code></li> [*] lib32</code></li> </ul> </li> Set root password. Retype to confirm.</li> Time Zone Selector: [region]</code> # example: America - Canada - Eastern - ON & QC (EDT)</code></li> Time and Date: Date: Skip</code></li> Time: Skip</code> # NTP will set on reboot</li> </ul> </li> Services to be started at boot: [*] sshd</code></li> [*] ntpd</code></li> [*] powerd</code> # for laptops</li> [*] dumpdev</code></li> </ul> </li> System hardening: [*] clear_tmp</code></li> </ul> </li> Firmware installation: [package(s)]</code> # install packages if available</li> Add user account? Yes</code> Username: [username]</code> # example: foo</code></li> Full name: <enter></code></li> Uid: <enter></code></li> Login group: <enter></code></li> Other groups?: wheel</code></li> Login class: <enter></code></li> Shell: <enter></code></li> Home directory: <enter></code></li> Home directory permissions: <enter></code></li> Enable ZFS encryption? no</code> # encrypted Root-on-ZFS already enabled</li> Use password-based authentication? <enter></code></li> Use an empty password? <enter></code></li> Use a random password? <enter></code></li> Enter password. Retype to confirm.</li> Lock out account after creation? <enter></code></li> OK? <enter></code></li> Add another user? <enter></code></li> </ul> </li> Final configuration: Finish Apply configuration and exit installer</code></li> Manual configuration: No</code></li> Complete: Reboot</code></li> </ul> NOTE When prompted for the encryption passphrase - regardless of the keymap set during install - enter the correct passphrase referencing the US</code> keymap: GELI Passphrase for <disk>: </code></pre> Upon success, boot resumes…. FreeBSD/amd64 (foobox.home.arpa) (ttyv0) login: root Password: </code></pre> Welcome to FreeBSD! To shutdown/poweroff the system: shutdown -p now </code></pre> Next: After the First Boot</a> You can like, share, or comment on this post on Mastodon</a> 💬

4. Disk Encryption</h2>
NetBSD uses the cryptographic device driver</a> (CGD) to create and manage encrypted devices.</p>

6. Configure the System</h2>
Chroot into the freshly installed NetBSD and configure the new OS.</p>

Configure SSH on NetBSD for Passwordless Logins to Servers

1. Start Here</h2>

2. Create Public and Private Keys</h2>

4. Disable Password Logins</h2>

5. Create An Alias</h2>

6. Keychain</h2>

Just Enough Chimera Linux

2. Configure the Live Environment</h2>
Boot the target device from the Chimera installation media. Login and password is `root:chimera</code>.</p>`

6. Configure the System</h2>
Chroot into the freshly installed Chimera and configure the new OS.</p>

7. ZFSBootMenu</h2>
Install this bootloader to support Root-on-ZFS</strong> boot environments on Linux.</p>

8. Finish Up</h2>

FreeBSD: After the First Boot

Install FreeBSD (Short and Sweet Version)

2. Installation</h2>
Boot target device from the install media. In the FreeBSD Boot Menu</strong> press `<Enter></code> to launch the installer.</p>`
`</p>`

Daniel Wayne Armstrong

NetBSD Installation with Disk Encryption

Daniel Wayne Armstrong

NetBSD Installation with Disk Encryption

4. Disk Encryption</h2> NetBSD uses the cryptographic device driver</a> (CGD) to create and manage encrypted devices.</p>

6. Configure the System</h2> Chroot into the freshly installed NetBSD and configure the new OS.</p>

Configure SSH on NetBSD for Passwordless Logins to Servers

1. Start Here</h2>

On BOTH the CLIENT and the SERVER</h3> Create the .ssh</code> directory and authorized_keys</code> file in $HOME</code>:</p>

2. Create Public and Private Keys</h2>

On the CLIENT</h3> Create the SSH public/private key pair protected with a passphrase:</p>

3. Share Public Key</h2>

On the CLIENT</h3> Upload the public key to the SERVER and append to the SERVER authorized_keys</code> file:</p>

4. Disable Password Logins</h2>

On the CLIENT</h3> While remaining logged into SERVER, open another terminal and verify the changes by attempting a new login using password authentication (which should fail</strong>):</p>

5. Create An Alias</h2>

6. Keychain</h2>

Just Enough Chimera Linux

2. Configure the Live Environment</h2> Boot the target device from the Chimera installation media. Login and password is root:chimera</code>.</p>

6. Configure the System</h2> Chroot into the freshly installed Chimera and configure the new OS.</p>

7. ZFSBootMenu</h2> Install this bootloader to support Root-on-ZFS</strong> boot environments on Linux.</p>

8. Finish Up</h2>

FreeBSD: After the First Boot

Package management</h2> Package management is one area where the differences between the Linux philosophy and the BSD philosophy about how to build a system becomes apparent.</p>

Alias for root mail</h2> Rather than login to root to collect system mail, I forward the root user’s mail to my non-root user’s inbox.</p> Open the aliases</code> file for editing:</p>

Message of the day</h2> Quiet the “message of the day” (motd</code>) output after logging into the system by creating an empty .hushlogin</code> file:</p>

Clear terminal at logout</h2> For the bash</code> shell, add to .bash_profile</code>:</p>

Install FreeBSD (Short and Sweet Version)

2. Installation</h2> Boot target device from the install media. In the FreeBSD Boot Menu</strong> press <Enter></code> to launch the installer.</p> </p>

4. Disk Encryption</h2>
NetBSD uses the cryptographic device driver</a> (CGD) to create and manage encrypted devices.</p>

6. Configure the System</h2>
Chroot into the freshly installed NetBSD and configure the new OS.</p>

2. Configure the Live Environment</h2>
Boot the target device from the Chimera installation media. Login and password is `root:chimera</code>.</p>`

6. Configure the System</h2>
Chroot into the freshly installed Chimera and configure the new OS.</p>

7. ZFSBootMenu</h2>
Install this bootloader to support Root-on-ZFS</strong> boot environments on Linux.</p>

2. Installation</h2>
Boot target device from the install media. In the FreeBSD Boot Menu</strong> press `<Enter></code> to launch the installer.</p>`
`</p>`