Number</th>	Size</th>	Code</th>	Format</th>	Use as</th>	Mountpoint</th></tr></thead>
1</td>	2g</td>	ef00</td>	vfat</td>	EFI system partition</td>	/boot/efi</td></tr>
2</td>	8g</td>	8200</td>	swap</td>	Swap partition</td>	(not applicable)</td></tr>
3</td>	->END</td>	bf00</td>	zfs</td>	ZFS pool partition</td>	/</td></tr> </tbody></table> Create the EFI system partition:</p> sgdisk -n "${ESP_PART}:1m:+2g" -t "${ESP_PART}:ef00" -c 0:esp $DISK</span></span></code></pre> Create the swap partition:</p> sgdisk -n "${SWAP_PART}:0:+8g" -t "${SWAP_PART}:8200" -c 0:swap $DISK</span></span></code></pre> Create the ZFS pool partition:</p> sgdisk -n "${POOL_PART}:0:0" -t "${POOL_PART}:bf00" -c 0:pool $DISK</span></span></code></pre> Display DISK layout:</p> partprobe $DISK && sgdisk -p $DISK</span></span></code></pre>4. ZFS Pool Creation</h2> When adding disks or partitions to ZFS pools, its good practice to refer to them by the symbolic links created in /dev/disk/by-partuuid</code> (UEFI) so that ZFS will identify the right devices even if disk naming should change at some point. Using traditional device nodes like /dev/sda2</code> may cause intermittent import failures.</p> So I create a POOL_ID</code> variable:</p> POOL_ID=/dev/disk/by-partuuid/$( blkid -s PARTUUID -o value $POOL_DEVICE )</span></span></code></pre> Verify:</p> ls -al /dev/disk/by-partuuid/ && echo "POOL_ID = $POOL_ID"</span></span></code></pre>Create encryption keyfile</h3> Store the encryption passphrase for the ZFS pool in a keyfile:</p> echo 'SuperSecretPassphrase' > /etc/zfs/zroot.key</span></span> chmod 000 /etc/zfs/zroot.key</span></span></code></pre>Create encrypted ZFS pool</h3> Create the pool with native encryption enabled:</p> zpool create -f \</span></span> -o ashift=12 \</span></span> -o autotrim=on \</span></span> -o compatibility=openzfs-2.3-linux \</span></span> -O acltype=posixacl \</span></span> -O xattr=sa \</span></span> -O compression=lz4 \</span></span> -O encryption=aes-256-gcm \</span></span> -O keylocation=file:///etc/zfs/zroot.key \</span></span> -O keyformat=passphrase \</span></span> -O relatime=on \</span></span> -m none zroot "$POOL_ID"</span></span></code></pre>Create ZFS datasets</h3> NOTE</strong> It is necessary to explicitly set the canmount=noauto</code> on every boot environment you create.</p> zfs create -o mountpoint=none zroot/ROOT</span></span> zfs create -o mountpoint=/ -o canmount=noauto zroot/ROOT/${ID}</span></span></code></pre> Set the preferred boot file system:</p> zpool set bootfs=zroot/ROOT/${ID} zroot</span></span></code></pre> I create an additional home</code> dataset for each system:</p> zfs create zroot/ROOT/${ID}/home</span></span></code></pre> This allows me to keep user config files unique to each boot environment that I might create in the future. It also separates user data from system data, which is useful for ZFS snapshots and enables system rollbacks while leaving user data untouched.</p> To share data between boot environments, I create a data</code> dataset to store common files:</p> zfs create -o mountpoint=/data zroot/data</span></span></code></pre>Export and re-import pool for installation</h3> zpool export zroot</span></span> zpool import -N -R /mnt zroot</span></span> zfs load-key -L prompt zroot</span></span></code></pre> Mount datasets:</p> zfs mount zroot/ROOT/${ID}</span></span> zfs mount zroot/ROOT/${ID}/home</span></span> zfs mount zroot/data</span></span></code></pre> Verify:</p> # mount -t zfs</span></span> zroot/ROOT/chimera on /mnt type zfs (rw,relatime,xattr,posixacl,casesensitive)</span></span> zroot/ROOT/chimera/home on /mnt/home type zfs (rw,relatime,xattr,posixacl,casesensitive)</span></span> zroot/data on /mnt/data type zfs (rw,relatime,xattr,posixacl,casesensitive)</span></span></code></pre> Update device symlinks:</p> udevadm trigger</span></span></code></pre>5. Installation</h2> Install the base system:</p> chimera-bootstrap /mnt</span></span></code></pre> Copy files into the new operating system:</p> cp /etc/hostid /mnt/etc/</span></span> mkdir /mnt/etc/zfs && cp /etc/zfs/zroot.key /mnt/etc/zfs/</span></span></code></pre>6. Configure the New System</h2> Chroot into the freshly installed Chimera and configure the base system.</p> Enter chroot</h3> chimera-chroot /mnt</span></span></code></pre>Set root password</h3> passwd</span></span></code></pre>Create superuser</h3> Create a user account with superuser privileges:</p> useradd -m -G wheel [username]</span></span></code></pre> ... where [username]</code> is the desired name for the account.</p> Set a password for [username]</code>:</p> passwd [username]</span></span></code></pre> (Optional) Give root</code> access to [username]</code> with no password using the doas</code> command:</p> echo 'permit nopass keepenv [username]' >> /etc/doas.conf</span></span></code></pre>Package manager and extra packages</h3> Add the user</code> subrepo and sync mirrors:</p> apk add --no-interactive chimera-repo-user && apk update</span></span></code></pre> Identify the processor vendor:</p> grep vendor_id /proc/cpuinfo</span></span></code></pre> Define a variable for an appropriate microcode package to load updates and security fixes:</p> UCODE="[vendor]"</span></span></code></pre> ... where [vendor]</code> for Intel processors is ucode-intel</code> and AMD processors is ucode-amd</code>.</p> Install:</p> apk add --no-interactive $UCODE linux-lts-zfs-bin cryptsetup cryptsetup-scripts-initramfs-tools curl efibootmgr font-terminus</span></span></code></pre>Set console font</h3> NOTE</strong> For terminus</code> font settings, see /usr/share/consolefonts/README.Lat2-Terminus16</code> for details.</p> Chimera uses the same console-setup</code> system as Debian.</p> Example: Use TerminusBold</code> as the console font and increase font size by modifying /etc/default/console-setup</code>:</p> ACTIVE_CONSOLES="/dev/tty[1-6]"</span></span> </span> CHARMAP="UTF-8"</span></span> </span> CODESET=guess</span></span> FONTFACE=TerminusBold</span></span> FONTSIZE=14x28</span></span></code></pre>Set console keyboard</h3> Default keyboard is us</code>. If a keymap alternative is desired, see keyboard(5)</code> for options.</p> Example: I like to use the colemak</code> keymap (available in /usr/share/keymaps/i386/colemak</code>), which I set by modifying /etc/default/keyboard</code>:</p> KMAP=colemak/en-latin9</span></span> </span> XKBMODEL=pc105</span></span> XKBLAYOUT=us</span></span></code></pre>Set timezone</h3> Timezones are located in /usr/share/zoneinfo/[Region]/[City]</code>, where [Region]</code> is the geographical region (Africa, America, Europe, ...) and the [City]</code> within that region.</p> Example: Create the /etc/localtime</code> symbolic link to the timezone where Toronto</code> is located:</p> ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime && date</span></span></code></pre>Assign hostname</h3> Create the hostname</code> file:</p> echo [hostname] > /etc/hostname</span></span></code></pre> ... where [hostname]</code> is the desired name of the system (single word, no spaces):</p> echo chimeralinux > /etc/hostname</span></span></code></pre>Enable services</h3> Links to services enabled by the admin are in /etc/dinit.d/boot.d/</code>.</p> Default logging system on Chimera is syslog-ng</code>.</p> Enable the service:</p> dinitctl -o enable syslog-ng</span></span></code></pre> Logs are written to /var/log/messages</code>.</p> You can configure wired networks statically or dynamically with dhcpcd</code>.</p> Enable the service:</p> dinitctl -o enable dhcpcd</span></span></code></pre> Default activity is for dhcpcd</code> to configure all interfaces with DHCP. Changes are made in /etc/dhcpcd.conf</code>. See dhcpcd.conf(5)</code> for more details.</p> Enable the sshd</code> service to allow remote logins:</p> dinitctl -o enable sshd</span></span></code></pre>Format and mount ESP partition</h3> NOTE</strong> Labels on file systems are optional, but helpful. They are a more reliable way to identify the correct partition than simple device nodes and allow for easy mounting without a UUID.</p> Create a fat32</code> file system:</p> mkfs.fat -n ESP -F 32 $ESP_DEVICE</span></span></code></pre> Mount device:</p> mount --mkdir $ESP_DEVICE /boot/efi</span></span></code></pre> Add partition to fstab</code>:</p> echo 'LABEL=ESP /boot/efi vfat defaults 0 0' >> /etc/fstab</span></span></code></pre>Enable swap encryption</h3> Using raw dm-crypt</code> enables the system to generate a random, one-time encryption key at boot that requires no action from the user to encrypt swap</code>. At shutdown the key is discarded, rendering any remaining data effectively destroyed.</p> To allow the use of a label (as previously done with the ESP) to identify the swap partition that can survive an overwrite, a swap offset</a> can be used. Create this offset by writing a tiny, empty file system on SWAP_DEVICE whose sole purpose is to provide a persistent label for swap creation:</p> mkfs.ext2 -L cryptswap $SWAP_DEVICE 1M</span></span></code></pre> Configure dm-crypt</code> to set up swap on this cryptswap</code> partition at boot by adding an entry to crypttab</code>:</p> echo 'swap LABEL=cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096' >> /etc/crypttab</span></span></code></pre> Add swap device to fstab</code>:</p> echo '/dev/mapper/swap none swap defaults 0 0' >> /etc/fstab</span></span></code></pre>Regenerate initramfs</h3> Encryption key is stored in /etc/zfs</code> and will automatically be copied into the initramfs.</p> Set UMASK=0077</code> as default permissions for newly created files and directories:</p> mkdir -p /etc/initramfs-tools/conf.d</span></span> echo 'UMASK=0077' > /etc/initramfs-tools/conf.d/umask.conf</span></span></code></pre> ... and set RESUME=none</code> to disable the cryptsetup</code> command from checking/warning about the lack of hibernate/resume support in our swap partition:</p> echo 'RESUME=none' > /etc/initramfs-tools/conf.d/resume</span></span></code></pre> Regenerate:</p> update-initramfs -u -k all</span></span></code></pre> Any warning messages along the lines of:</p> cryptsetup: WARNING: Couldn't determine root device</span></span></code></pre> ... can be safely ignored. In this instance the script is looking for a root mapping that doesn't exit (root encryption is handled in ZFS).</p> 7. ZFSBootMenu</h2> Install the ZBM bootloader to support Root-on-ZFS</strong> boot environments on Linux.</p> Boot properties</h3> NOTE</strong> Add the hibernate=no</code> argument to ensure that no process can trigger a suspend-to-disk action, which is consistent with the goal of using an ephemeral, random-key swap.</p> Assign command-line arguments to be used when booting the kernel:</p> zfs set org.zfsbootmenu:commandline="quiet hibernate=no" zroot/ROOT</span></span></code></pre> Configure key caching:</p> zfs set org.zfsbootmenu:keysource="zroot/ROOT/${ID}" zroot</span></span></code></pre>Prebuilt executable</h3> Install a prebuilt ZBM executable to the ESP:</p> mkdir -p /boot/efi/EFI/ZBM</span></span> curl -o /boot/efi/EFI/ZBM/VMLINUZ.EFI -L https://get.zfsbootmenu.org/efi</span></span> cp /boot/efi/EFI/ZBM/VMLINUZ.EFI /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI</span></span></code></pre>EFI boot entries</h3> efibootmgr -c -d "$DISK" -p "$ESP_PART" -L "ZFSBootMenu (Backup)" -l '\EFI\ZBM\VMLINUZ-BACKUP.EFI'</span></span> efibootmgr -c -d "$DISK" -p "$ESP_PART" -L "ZFSBootMenu" -l '\EFI\ZBM\VMLINUZ.EFI'</span></span></code></pre>8. Finish Up</h2> Exit chroot, unmount, and export</h3> Exit chroot:</p> exit</span></span></code></pre> Unmount everything:</p> umount /mnt/home && umount /mnt/data && umount /mnt/boot/efi && umount -n -R /mnt</span></span></code></pre> Export the zpool:</p> zpool export zroot</span></span></code></pre>Reboot</h3> reboot</span></span></code></pre> NOTE</strong> When prompted for passphrase to unlock zpool, keymap is us</code> regardless of keymap that might have been set on system.</p> User is prompted for the passphrase to unlock the encrypted root partition. Upon success, boot resumes:</p> chimeralinux login:</span></span></code></pre> Welcome to Chimera!</strong></p> 9. Resources</h2> ZFSBootMenu: Chimera Linux Guide</a></li> Chimera Linux: Installation Guide</a></li> OpenZFS Man Pages: zpoolprops.7</a> and zfsprops.7</a></li> Practical ZFS: Linux home directory on ZFS</a></li> Arch Linux Wiki: Persistent block device naming</a> and swap encryption</a></li> </ul> Next: Chimera Linux: After the First Boot</em> (TODO)</p> You can like, share, or comment on this post on the Fediverse</a> 💬 </p> NetBSD Installation with Disk Encryption Sun, 12 Apr 2026 00:00:00 +0000 The first time I installed NetBSD</a> I used sysinst(8)</a>, a menu-based program launched at boot that runs in the console. It has a clear and concise layout and I was quickly up-and-running on my new BSD</a> system.</p> For my next</strong> install I wanted to include disk encryption</strong> to protect personal data in case the device is lost or stolen. Its not really enough to simply encrypt home directories. Passphrases and sensitive data can linger and be extracted from locations such as system logs and swap memory. There is a trade-off to be made between how much to encrypt, the convenience of operating the system, and the ability for the system to boot.</p> 1. Start Here</a> Acquire an installation image</a></li> Prepare the USB installation medium</a></li> </ul> </li> 2. Configure the Live Environment</a> Connect to the internet</a></li> Remote login to the installer</a></li> </ul> </li> 3. Prepare the DISK</a> Identify disks and partitions</a></li> Define DISK variable</a></li> Wipe DISK</a></li> Partition DISK</a></li> Define wedge variables</a></li> Format and mount the ESP wedge</a></li> Add EFI boot entries to ESP</a></li> Format and mount the root wedge</a></li> </ul> </li> 4. Disk Encryption</a> Create encrypted device</a></li> Create disklabels</a></li> Verify encrypted device</a></li> Format and mount disklabels</a></li> </ul> </li> 5. Installation</a></li> 6. Configure the System</a> Chroot</a></li> Directories</a></li> Devices</a></li> Root password</a></li> Superuser</a></li> Fstab</a></li> Startup</a></li> Keyboard</a></li> Timezone</a></li> Network interface</a></li> Terminals</a></li> </ul> </li> 7. Finish Up</a></li> 8. Resources</a></li> </ul> 1. Start Here</h2> Throughout this HOWTO, if you see square brackets []</code> in code blocks, that means the word of code (square brackets included) should be replaced with something else. This is detailed in the instructions before or after the code block.</p> NetBSD will be installed as the sole operating system on a single disk using a four-partition layout:</p> Partition ESP</code> is the EFI system partition.</li> Partition root</code> hosts a minimal root filesystem that boots to an encryption passphrase prompt, which upon entry unlocks...</li> ... the encrypted device on partition syscgd</code> containing the contents of var</code>, usr</code>, and home</code>.</li> Partition swap</code> is swap memory auto-encrypted at boot using a random key.</li> </ul> A few assumptions:</p> Target device is amd64</code> architecture using UEFI to boot.</li> Secure boot is disabled on target device.</li> Network access during install uses a wired interface.</li> </ul> Sysinst does not provide the option for encrypting the system in this manner, so early in the install process I switch to the console and proceed to manually install NetBSD.</p> Acquire an installation image</h3> The latest official installation images (as of April 2026) are available here: Images and torrents</a></p> Download the NetBSD-11.0_RC3-amd64-install.img.gz</code> image and the SHA512</code> file for verification:</p> wget https://cdn.netbsd.org/pub/NetBSD/images/11.0_RC3/NetBSD-11.0_RC3-amd64-install.img.gz</span></span> wget https://cdn.netbsd.org/pub/NetBSD/images/11.0_RC3/SHA512</span></span></code></pre> Verify the image using sha512sum</code>:</p> sha512sum -c --ignore-missing SHA512 </span></span></code></pre> Decompress the image:</p> gunzip NetBSD-11.0_RC3-amd64-install.img.gz</span></span></code></pre>Prepare the USB installation medium</h3> Write the installer to an unmounted</strong> USB storage device running the dd(1)</a> command as root</code>.</p> WARNING</strong> Be very careful to note the proper device (which can be identified with lsblk</code>). All contents on the device will be lost!</strong></p> Example: On a Linux system, if a USB stick appears as sdx1</code>, then write the installer to sdx</code> (omit partition number):</p> dd bs=4M conv=fsync oflag=direct status=progress if=NetBSD-11.0_RC3-amd64-install.img of=/dev/sdx</span></span></code></pre>2. Configure the Live Environment</h2> Boot the target device from the NetBSD installation medium. Select Option 1</code> (default) to Install NetBSD</code>.</p> After the installer has successfully booted into the NetBSD kernel, a prompt appears to select which language</strong> will be used for installation messages, followed by a prompt to select a different keyboard type</strong> if desired or leave unchanged.</p> Next up the menu-based sysinst</strong> program is launched:</p> NetBSD-11.0_RC3 Install System</span></span> </span> >a: Install NetBSD to hard disk</span></span> b: Upgrade NetBSD on a hard disk</span></span> c: Re-install sets or install additional sets</span></span> d: Reboot the computer</span></span> e: Utility menu</span></span> f: Config menu</span></span> x: Exit Install System</span></span></code></pre>Connect to the internet</h3> At the Install System</code> main menu, select >e: Utility menu</code> then >c: Configure network</code>.</p> Available interfaces</code> lists the network interfaces detected by the NetBSD installer.</p> Example: With my target device Available interfaces</code> lists two: wm0</code> (wired) and iwn0</code> (wireless). I choose to configure the wired ethernet interface:</p> Network media (empty to autoconfigure) [autoselect]: <enter></span></span> Perform autoconfiguration?</span></span> >a: Yes</span></span> Your host name: foobox</span></span> Your DNS domain: home.arpa</span></span> The following are the values you entered.</span></span> </span> [...]</span></span> </span> Are they OK?</span></span> >a: Yes</span></span></code></pre>Remote login to the installer</h3> Make this manual installation process easier (i.e. cut-n-paste commands) by remotely logging into the installer via ssh</code> from another computer.</p> Open a shell by selecting >a: Run /bin/sh</code> from the Utilities</code> menu.</p> Set a password for root</code>:</p> passwd</span></span></code></pre> Open the sshd_config</code> file for editing using the vi</code> editor:</p> vi /etc/ssh/sshd_config</span></span></code></pre> Set permission to allow root</code> to login:</p> PermitRootLogin yes</span></span></code></pre> Save changes and exit.</p> Start the sshd</code> daemon:</p> /etc/rc.d/sshd onestart</span></span></code></pre> Retrieve the IP address for the active interface configured earlier (example: wm0</code>):</p> ifconfig wm0</span></span></code></pre> Switch to the other computer and ssh</code> into the target device:</p> ssh root@[ip_address]</span></span></code></pre> ... where [ip_address]</code> is the target device's address obtained with the ifconfig</code> command above.</p> 3. Prepare the DISK</h2> NOTE</strong> For the purposes of this HOWTO, the example target device has a single NVMe disk with an existing install of Linux</a> that will be erased and replaced by NetBSD. Device IDs and storage sizes will vary between devices.</p> Identify disks and partitions</h3> Discover what disk devices and partitions have been recognized by the kernel:</p> # sysctl hw.disknames</span></span> hw.disknames = ld0 dk0 dk1 dk2 dk3 sd0 dk4 dk5</span></span></code></pre> NVMe devices show up as ld</code> and hard disks are identified by wd</code>. USB devices usually show up as sd</code>.</p> The dk</code> devices are partitions (know as wedges</strong> in NetBSD parlance) on the storage devices, and this early after boot are usually displayed in order, that is: dk0</code> through dk3</code> are wedges on the NVMe target device ld0</code>, and dk4</code> and dk5</code> on the USB installer sd0</code>.</p> Verify by asking for a list of wedges on sd0</code>:</p> # dkctl sd0 listwedges</span></span> /dev/rsd0: 2 wedges:</span></span> dk4: EFI system, 262144 blocks at 2048, type: msdos</span></span> dk5: 30c4cc4e-5369-449c-8994-a4b1ea665b4b, 4853760 blocks at 264192, type: ffs</span></span></code></pre> Verify which device the installer booted from:</p> # dmesg \| fgrep "root on"</span></span> [ 4.158650] root on dk5</span></span></code></pre> There is also the nvmectl</code> command (use atactl</code> for SATA drives):</p> # nvmectl identify nvme0 \| egrep 'Model\|Device type\|Capacity'</span></span> Model Number: Samsung SSD 980 1TB</span></span></code></pre>Define DISK variable</h3> The NVMe storage device detected above as ld0</code> is where NetBSD will be installed. Adjust accordingly for your own storage device:</p> DISK="ld0"</span></span></code></pre>Wipe DISK</h3> Wipe existing file systems and partition table on DISK:</p> gpt destroy $DISK && gpt show $DISK</span></span></code></pre>Partition DISK</h3> NOTE</strong> I typically set the swap partition size equal to the amount of physical RAM to a maximum 16g</code>.</p> Create a GPT partition table on DISK with the following layout:</p> Number</th> Size</th> Type</th> Use as</th></tr></thead> 1</td> 550m</td> efi</td> ESP partition</td></tr> 2</td> 6g</td> ffs</td> Root partition</td></tr> 3</td> 16g</td> swap</td> Encrypted swap partition</td></tr> 4</td> ->END</td> cgd</td> Encrypted system partition</td></tr> </tbody></table> Create a new GPT partition table:</p> gpt create -f $DISK</span></span></code></pre> Create the wedges:</p> gpt add -l "ESP" -t efi -s 550m $DISK</span></span> gpt add -l "root" -t ffs -s 6g $DISK</span></span> gpt add -l "swap" -t swap -s 16g $DISK</span></span> gpt add -l "syscgd" -t cgd $DISK</span></span> gpt show $DISK</span></span></code></pre>Define wedge variables</h3> List wedges:</p> # dkctl $DISK listwedges</span></span> /dev/rld0: 4 wedges:</span></span> dk2: ESP, 524288 blocks at 34, type: msdos</span></span> dk3: root, 16777216 blocks at 524322, type: ffs</span></span> dk4: swap, 33554432 blocks at 17301538, type: swap</span></span> dk5: syscgd, 1902669165 blocks at 50855970, type: cgd</span></span></code></pre> NOTE</strong> Your dk[number]</code> numbering may differ from above. Adjust accordingly:</p> Define variables:</p> DK_ESP="dk2"</span></span> DK_ROOT="dk3"</span></span></code></pre>Format and mount the ESP wedge</h3> newfs_msdos /dev/r${DK_ESP} && mount /dev/${DK_ESP} /mnt</span></span></code></pre>Add EFI boot entries to ESP</h3> mkdir -p /mnt/EFI/boot && cp -v /usr/mdec/*.efi /mnt/EFI/boot</span></span></code></pre> Unmount wedge:</p> umount /mnt</span></span></code></pre>Format and mount the root wedge</h3> Format and mount the root wedge with the FFSv2</code> file system with support for extended attributes and access control lists:</p> newfs -O 2ea /dev/r${DK_ROOT} && mount /dev/${DK_ROOT} /targetroot</span></span></code></pre>4. Disk Encryption</h2> NetBSD uses the cryptographic device driver</a> (CGD) to create and manage encrypted devices.</p> Create encrypted device</h3> Using cgdconfig</code>, a parameters file is generated that stores the encryption type, key length, and a random password salt for the new encrypted device.</p> There are a few different encryption ciphers supported</a>. I choose aes-xts</code> with a 512-bit key:</p> mkdir -p /targetroot/etc/cgd && chmod 700 /targetroot/etc/cgd</span></span> cgdconfig -g -V disklabel -o /targetroot/etc/cgd/syscgd aes-xts 512</span></span></code></pre> NOTE</strong> NAME=syscgd</code> is the label for the CGD wedge created earlier.</p> Create the encrypted device and assign it a passphrase. This passphrase will be used to open the CGD device at boot:</p> cgdconfig -V re-enter cgd0 NAME=syscgd /targetroot/etc/cgd/syscgd</span></span></code></pre>Create disklabels</h3> NOTE</strong> Disklabels c</code> and d</code> have special meaning in NetBSD</a> and should not be used.</p> Within the encrypted device, three disklabels are created:</p> Disklabel</th> Mountpoint</th> Size</th></tr></thead> cgd0a</td> /var</td> 8GB</td></tr> cgd0b</td> /usr</td> 48GB</td></tr> cgd0e</td> /home</td> ->END</td></tr> </tbody></table> Create the labels using disklabel</code> in interactive mode:</p> # disklabel -Ii cgd0</span></span> Enter '?' for help</span></span> ...</span></span></code></pre> Create cgd0a</code>:</p> partition>a</span></span> Filesystem type [4.2BSD]: <enter></span></span> Start offset ('x' to start after partition 'x') [0c, 0s, 0M]: <enter></span></span> Partition size ('$' for all remaining) [947594c, 1940672512s, 947594M]: 8G</span></span> a: ...</span></span></code></pre> Create cgd0b</code>:</p> partition>b</span></span> Filesystem type [unused]: 4.2BSD</span></span> Start offset ('x' to start after partition 'x') [0c, 0s, 0M]: a</span></span> Partition size ('$' for all remaining) [0c, 0s, 0M]: 48G </span></span> b: ...</span></span></code></pre> Create cgd0e</code>:</p> partition>e</span></span> Filesystem type [unused]: 4.2BSD</span></span> Start offset ('x' to start after partition 'x') [0c, 0s, 0M]: b</span></span> Partition size ('$' for all remaining) [0c, 0s, 0M]: $</span></span> e: ...</span></span></code></pre> Write the label and quit:</p> partition>W</span></span> Label disk [n]?y</span></span> Label written</span></span> partition>Q</span></span></code></pre>Verify encrypted device</h3> Set configuration in target device:</p> echo 'cgd0 NAME=syscgd /etc/cgd/syscgd' > /targetroot/etc/cgd/cgd.conf</span></span></code></pre> Close the CGD device:</p> cgdconfig -u cgd0</span></span></code></pre> Unlock the CGD device again with the passphrase set earlier:</p> cgdconfig cgd0 NAME=syscgd /targetroot/etc/cgd/syscgd</span></span></code></pre> The cgd0</code> drive should now be open and the disklabel visible:</p> disklabel cgd0</span></span></code></pre>Format and mount disklabels</h3> Format:</p> newfs -O 2ea cgd0a</span></span> newfs -O 2ea cgd0b</span></span> newfs -O 2ea cgd0e</span></span></code></pre> Mount:</p> mkdir /targetroot/var /targetroot/usr /targetroot/home</span></span> mount /dev/cgd0a /targetroot/var</span></span> mount /dev/cgd0b /targetroot/usr</span></span> mount /dev/cgd0e /targetroot/home</span></span></code></pre>5. Installation</h2> The new system is composed of sets</strong> (collections of packages) installed to the target device. These sets are located in /amd64/binary/sets</code>. Move into that directory:</p> cd /amd64/binary/sets && ls</span></span></code></pre> NOTE</strong> Adding flag p</code> to the tar</code> command is important. It ensures that all files preserve their owners</code> and mode</code>.</p> At a minimum, you must select a kernel and the base</code> and etc</code> sets. Below are the sets I choose to install for a desktop setup:</p> # for set in base comp etc games gpufw kern-GENERIC man misc modules rescue tests text xbase xcomp xetc xfont xserver; do</span></span> > tar -xvzpf $set.tar.xz -C /targetroot</span></span> > done</span></span></code></pre>6. Configure the System</h2> Chroot into the freshly installed NetBSD and configure the new OS.</p> Chroot</h3> chroot /targetroot</span></span></code></pre>Directories</h3> Create the kern</code> and proc</code> directories:</p> mkdir kern proc</span></span></code></pre>Devices</h3> cd dev</span></span> sh MAKEDEV all</span></span></code></pre> On a previous install, after rebooting the boot process halted with the error message:</p> /etc/defaults/rc.conf: cannot create /dev/null: read-only file system</span></span> /etc/rc: cannot create /dev/null: read-only file system</span></span></code></pre> MAKEDEV</code> had created null</code> but it was incorrectly configured:</p> # ls -l /dev/null</span></span> -rw-r--r-- 1 root wheel 0 Apr 5 13:06 null</span></span></code></pre> To avoid this error, remove the existing null</code>:</p> rm /dev/null</span></span></code></pre> Re-create null</code> with mknod</code>:</p> # mknod -m 0666 -u root -g wheel /dev/null c 2 2 && ls -l /dev/null</span></span> crw-rw-rw- 1 root wheel 2, 2 Apr 11 13:10 /dev/null</span></span></code></pre>Root password</h3> passwd</span></span></code></pre>Superuser</h3> Create a user account assigned to the wheel</code> and operator</code> groups:</p> useradd -G [groups] -m [username]</span></span></code></pre> Example: Create an account for user foo</code> and assign a password:</p> useradd -G wheel,operator -m foo</span></span> passwd foo</span></span> userinfo foo</span></span></code></pre>Fstab</h3> # cat > /etc/fstab << EOF</span></span> NAME=root / ffs rw,log,noatime 1 1</span></span> NAME=swap none swap sw,dp 0 0</span></span> tmpfs /tmp tmpfs rw,-m1777,-sram%25</span></span> kernfs /kern kernfs rw</span></span> ptyfs /dev/pts ptyfs rw</span></span> procfs /proc procfs rw</span></span> tmpfs /var/shm tmpfs rw,-m1777,-sram%25</span></span> /dev/cgd0a /var ffs rw,log,noatime 1 2</span></span> /dev/cgd0b /usr ffs rw,log,noatime 1 2</span></span> /dev/cgd0e /home ffs rw,log,noatime 1 2 </span></span> EOF</span></span></code></pre>Startup</h3> Open rc.conf</code> for editing:</p> vi /etc/rc.conf</span></span></code></pre> NOTE</strong> In this HOWTO, my hostname was earlier set to foobox.home.arpa</code> during network setup, and my wired interface is wm0</code>. Adjust accordingly:</p> # If this is not set to YES, the system will drop into single-user mode.</span></span> #</span></span> rc_configured=YES</span></span> </span> # Add local overrides below.</span></span> #</span></span> # Wait for CGD to be unlocked before mounting.</span></span> critical_filesystems_local="OPTIONAL:/var OPTIONAL:/usr"</span></span> dhcpcd=YES</span></span> dhcpcd_flags="-qM wm0"</span></span> hostname=foobox.home.arpa</span></span> sshd=YES</span></span> ntpd=YES</span></span> ntpdate=YES</span></span> wscons=YES</span></span> cgd=YES</span></span></code></pre> Save changes and exit.</p> NOTE</strong> Any Error: /dev/ttyp0: No such file or directory</code> messages can be safely ignored.</p> Keyboard</h3> A full list of keyboard mappings and variants can be found in wskbd(4)</a>.</p> Set encoding [type_of_keyboard]</code> in wscons.conf</code>.</p> Open file for editing:</p> vi /etc/wscons.conf</span></span></code></pre> Example: I use the non-default colemak</code> keymap:</p> encoding us.colemak</span></span></code></pre> Save changes and exit.</p> Timezone</h3> Create a symlink to the appropriate timezone for your localtime</code>:</p> ln -sf /usr/share/zoneinfo/[region/<city_or_sub-region] /etc/localtime</span></span></code></pre> Example: Set localtime</code> to Canada/Eastern</code>:</p> ln -sf /usr/share/zoneinfo/Canada/Eastern /etc/localtime && date</span></span></code></pre>Network interface</h3> ifconfig.if(5)</a> contains the configuration details for each network interface.</p> Example: Create an interface file for the wm0</code> interface that is assigned an IP address via DHCP:</p> # cat > /etc/ifconfig.wm0 << EOF</span></span> up</span></span> media autoselect</span></span> EOF</span></span></code></pre>Terminals</h3> Set the status of terminals ttyE1-ttyE3</code> in ttys</code> from off</code> to on</code>.</p> Open file for editing:</p> vi /etc/ttys</span></span></code></pre> This is how it should look:</p> # name getty type status comments</span></span> #</span></span> console "/usr/libexec/getty Pc" wsvt25 off secure</span></span> constty "/usr/libexec/getty Pc" wsvt25 on secure</span></span> ttyE0 "/usr/libexec/getty Pc" wsvt25 off secure</span></span> ttyE1 "/usr/libexec/getty Pc" wsvt25 on secure</span></span> ttyE2 "/usr/libexec/getty Pc" wsvt25 on secure</span></span> ttyE3 "/usr/libexec/getty Pc" wsvt25 on secure</span></span></code></pre> Save changes and exit.</p> 7. Finish Up</h2> Exit chroot:</p> exit</span></span> cd /</span></span></code></pre> Unmount:</p> umount /targetroot/home</span></span> umount /targetroot/usr</span></span> umount /targetroot/var</span></span> umount /targetroot</span></span></code></pre> Close encrypted device:</p> cgdconfig -u cgd0</span></span></code></pre> Reboot system:</p> shutdown -r now</span></span></code></pre> NOTE</strong> When prompted for the passphrase to unlock the encrypted device, keymap is us qwerty</code> regardless of keymap that might have been set in wscons.conf</code>.</p> User is prompted for the passphrase to unlock the encrypted syscgd</code> device. Upon success, boot resumes:</p> NetBSD/amd64 (foobox.home.arpa) (constty)</span></span> </span> login: root</span></span> Password:</span></span></code></pre> Welcome to NetBSD!</strong></p> To shutdown/poweroff the system:</p> shutdown -p now</span></span></code></pre>8. Resources</h2> This HOWTO posted by vsis</a> was crucial in getting my own system configured with encryption: NetBSD - UEFI installation with Full Disk Encryption</a></li> Alternative approach for disk encryption using a ramdisk on BIOS boot systems: NetBSD Full-Disk Encryption with CGD (BIOS/GPT)</a></li> NetBSD INSTALL: Installation procedure for NetBSD/amd64</a></li> NetBSD Wiki: Installing NetBSD on a x86 system with UEFI</a></li> NetBSD Guide: Chapter 14. The cryptographic device driver (CGD)</a></li> Suggested tools for inspecting disks: Disk management from Installation ISO</a></li> Skipping sysinst install for a more "hands-on" approach: Manual NetBSD install on GPT/UEFI</a></li> Swap encryption is now automatic using the vm.swap_encrypt=1</code> sysctl(8)</a> variable: Announcing NetBSD 10.0</a></li> </ul> Next: NetBSD: After the First Boot</em> (TODO)</p> You can like, share, or comment on this post on the Fediverse</a> 💬 </p>

Make Your Own Fortune

Fri, 08 May 2026 00:00:00 +0000

As we all go about our day we discover bits of wisdom that WOW! and YES! seem to be directed at you.

I like to put these bits together in a file for later review. Using the programs fortune</code> and cowsay</code> and lolcat</code> I made a little shell script that runs at a console login or when a terminal window/tab is opened and outputs a colourful, random fortune from my custom collection.

Fortune</a></li> Customize</a></li> Cowsay</a></li> Lolcat</a></li> Script</a></li> Auto-run</a></li> </ul> Fortune</h2> The fortune</code> command is included in the FreeBSD base system. On other BSDs and Linuxes its usually available to install as the fortune</code> or fortune-mod</code> package. Running fortune all</code> command prints an adage chosen at random from database files stored (on FreeBSD) in /usr/share/games/fortune</code>: -> fortune all To see the last 10 lines of a long file, use "tail filename". To see the first 10 lines, use "head filename". To see new lines as they're appended to a file, use "tail -f filename". -- Dru <genesis@istar.ca></code></pre> Usually on a Linux system its a simple fortune</code> or fortunes</code> command: -> fortune I'll defend to the death your right to say that, but I never said I'd listen to it! -- Tom Galloway with apologies to Voltaire</code></pre>Customize</h2> Create the my_fortune</code> file (I place mine in ~/.config</code>): vi ~/.config/my_fortune</code></pre> Add blocks of text separated by the %</code> percent symbol. Example: All creatures love life. All creatures fear death. Therefore do not kill or help others to kill. -- The Buddha % Everyone takes the limits of his own vision for the limits of the world. -- Arthur Schopenhauer % Non est ad astra mollis e terris via (there is no easy way from the earth to the stars). -- Seneca %</code></pre> Save changes and exit. Convert this file to a format that fortune</code> can use with the included strfile</code> command, which generates the necessary *.dat</code> file type: strfile -c % ~/.config/my_fortune ~/.config/my_fortune.dat</code></pre> NOTE Both my_fortune</code> and my_fortune.dat</code> need to be located in the same directory. Display your own fortune: -> fortune ~/.config/my_fortune The price of anything is the amount of life you exchange for it. -- Henry David Thoreau</code></pre>Cowsay</h2> What is better than seeing your own fortune in the console? Why having a cow deliver it! Install cowsay</code> with your BSD or Linux package manager. On FreeBSD: doas pkg install cowsay</code></pre> Pipe your fortune to the cow: -> fortune ~/.config/my_fortune | cowsay _________________________________________ / If you don’t get everything you want, \ | think of the things you don’t get | | that you don’t want. | \ -- Oscar Wilde / --------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || ||</code></pre> I actually prefer my fortunes to be delivered by a kitty</code>: -> fortune ~/.config/my_fortune | cowsay -f kitty _________________________________________ / I have learned silence from the \ | talkative, toleration from the | | intolerant, and kindness from the | | unkind; yet strange, I am ungrateful to | \ these teachers. -- Kahlil Gibran / ----------------------------------------- \ \ ("`-' '-/") .___..--' ' "`-._ ` *_ * ) `-. ( ) .`-.__. `) (_Y_.) ' ._ ) `._` ; `` -. .-' _.. `--'_..-_/ /--' _ .' ,4 ( i l ),-'' ( l i),' ( ( ! .-'</code></pre>Lolcat</h2> How about a fortune delivered with a dash of colour, courtesy of lolcat</code>? Its usually available as a package or can be installed as a Ruby gem</code>. On FreeBSD, install: doas pkg install lolcat</code></pre> Run: Script</h2> I created a shell script for these commands. It displays a colour cow-ified fortune if the system has lolcat</code> + cowsay</code> + fortune</code>, falls back to the fortune cow if lolcat</code> is missing, falls back to a plain fortune if cowsay</code> is also missing, and errors out if no my_fortune</code> file or fortune</code> command is found. Verify that $HOME/bin</code> directory is present and in your PATH: echo $PATH</code></pre> The script, saved as my_fortune.sh</code> and placed in ~/bin</code>: #!/bin/sh # # Purpose: Display a random fortune from my custom fortunes file quote="$HOME/.config/my_fortune" cowfile="kitty" fort="command -v fortune" cows="command -v cowsay" lols="command -v lolcat" if [ -f $quote ]; then if $fort 2>&1 >/dev/null && $cows 2>&1 >/dev/null && $lols 2>&1 >/dev/null; then fortune $quote | cowsay -f $cowfile | lolcat -f elif $fort 2>&1 >/dev/null && $cows 2>&1 >/dev/null; then fortune $quote | cowsay -f $cowfile elif $fort 2>&1 >/dev/null; then fortune $quote else echo "(O< error: script $0 requires: fortune; recommends: cowsay, lolcat" echo "(/)_" exit 1 fi else echo "(O< error: $quote not found." echo "(/)_" exit 1 fi</code></pre> Make the script executable: chmod 755 ~/bin/my_fortune.sh</code></pre> Run: my_fortune.sh</code></pre> ... to display your own jazzy fortune! Auto-run</h2> To have my_fortune.sh</code> run whenever logging into a console or opening a terminal window/tab, add the script to the shell's config file. I use the fish</code> shell, and I modify the config.fish</code> file: vi ~/.config/fish/config.fish</code></pre> Add: if status is-interactive if command -v my_fortune.sh > /dev/null my_fortune.sh end end</code></pre> Save changes and exit. For bash</code>, modify .bashrc</code>: vi ~/.bashrc</code></pre> Add: if command -v my_fortune.sh 2>&1 >/dev/null then my_fortune.sh fi</code></pre> Save changes and exit. Modify as appropriate (.shrc</code> for sh</code>, etc) for your chosen shell. Its a fun and often enlightening nudge to start the day! You can like, share, or comment on this post on the Fediverse</a> 💬

Just Enough Chimera Linux

Thu, 16 Apr 2026 00:00:00 +0000

Chimera Linux</a> is a delightful community-driven Linux distribution built from scratch that does things differently: musl</code> instead of the typical glibc</code> for C library, dinit</code> over systemd</code> for system init, and a userland derived from FreeBSD core tools.

Using the Chimera base</code> install image and working my way through this excellent installation guide</a> for configuring Chimera with the OpenZFS filesystem and the ZFSBootMenu bootloader, I show the choices I make to create an encrypted, minimal Linux system with "just enough" to provide a solid foundation to build upon further: whether that be setting up a desktop, laptop, or server.



1. Start Here</a>

Acquire an installation image</a></li>
Prepare USB installation medium</a></li>
</ul>
</li>
2. Configure the Live Environment</a>

Set larger console font</a></li>
Set temporary console keyboard</a></li>
Verify boot mode</a></li>
Connect to internet</a></li>
Remote login to installer</a></li>
Define ID variable</a></li>
Generate hostid</a></li>
</ul>
</li>
3. Prepare the DISK</a>

Define DISK variables</a></li>
Wipe DISK</a></li>
Partition DISK</a></li>
</ul>
</li>
4. ZFS Pool Creation</a>

Create encryption keyfile</a></li>
Create encrypted ZFS pool</a></li>
Create ZFS datasets</a></li>
Export and re-import pool for installation</a></li>
</ul>
</li>
5. Installation</a></li>
6. Configure the New System</a>

Enter chroot</a></li>
Set root password</a></li>
Create superuser</a></li>
Package manager and extra packages</a></li>
Set console font</a></li>
Set console keyboard</a></li>
Set timezone</a></li>
Assign hostname</a></li>
Enable services</a></li>
Format and mount ESP partition</a></li>
Enable swap encryption</a></li>
Regenerate initramfs</a></li>
</ul>
</li>
7. ZFSBootMenu</a>

Boot properties</a></li>
Prebuilt executable</a></li>
EFI boot entries</a></li>
</ul>
</li>
8. Finish Up</a>

Exit chroot, unmount, and export</a></li>
Reboot</a></li>
</ul>
</li>
9. Resources</a></li>
</ul>

1. Start Here</h2>
Throughout this HOWTO, if you see square brackets []</code> in code blocks, that means the word of code (square brackets included) should be replaced with something else. This is detailed in the instructions before or after the code block.</p>
Chimera Linux is installed as the sole operating system on a single disk using a three-partition layout:</p>

Partition esp</code> serves as the EFI system partition and is formatted with the fat32</code> file system.</li>
Partition swap</code> provides swap space with encryption courtesy of dm-crypt</code>.</li>
Partition pool</code> contains the root filesystem and is formatted with the zfs</code> file system using native encryption.</li>
</ul>
A few assumptions:</p>

Target device is x86_64</code> architecture using UEFI to boot.</li>
Secure boot is disabled on target device.</li>
Installation image is prepared on a Linux/BSD system.</li>
Network access during install uses a wired interface.</li>
System does not require hibernation support.</li>
</ul>
Acquire an installation image</h3>
The latest live ISO install images (currently 20251220</code>) are available here: repo.chimera-linux.org</a></p>
Download chimera-linux-x86_64-LIVE-20251220-base.iso</code>, the sha256sums.txt</code> file, then verify the image integrity:</p>
sha256sum -c --ignore-missing sha256sums.txt</span></span></code></pre>Prepare USB installation medium</h3>
Write the installer to an unmounted USB storage device running the dd</code> command as root.</p>
WARNING</strong>

Be very careful to note the proper device (which can be identified with the lsblk</code> command). All contents on the device will be lost!</strong></p>
Example: On a Linux system, if a USB stick appears as sdx1</code>, then write the installer to sdx</code> (omit partition number):</p>
dd bs=4M conv=fsync oflag=direct status=progress if=chimera-linux-x86_64-LIVE-20251220-base.iso of=/dev/sdx</span></span></code></pre>2. Configure the Live Environment</h2>
Boot the target device from the Chimera installation media. Login and password is root:chimera</code>.</p>
Set larger console font</h3>
If the existing font size appears too small, running:</p>
setfont -d</span></span></code></pre>
... will double the size.</p>
Console fonts are located in /usr/share/consolefonts/</code> and a different font can be set with setfont</code> omitting the path and file extension.</p>
Set temporary console keyboard</h3>
Default console keymap is us</code>. Available keymaps are listed in /usr/share/keymaps/</code>.</p>
If some other keymap is desired, set a different keymap temporarily with loadkeys</code>:</p>
loadkeys [keymap]</span></span></code></pre>
...where [keymap]</code> is the desired keyboard layout.</p>
Example: I configure the system to use my preferred colemak</code> layout, which is available in /usr/share/keymaps/i386/colemak</code>:</p>
loadkeys colemak/en-latin9</span></span></code></pre>Verify boot mode</h3>
Confirm target device is using UEFI boot mode:</p>
cat /sys/firmware/efi/fw_platform_size</span></span></code></pre>
If the command returns 64</code>, then system is booted in UEFI with 64-bit x64 UEFI and we are good to go.</p>
NOTE</strong>

If the file does not exist, the device is not using UEFI.</p>
Connect to internet</h3>
Wired network interfaces should be auto-enabled and connected at boot.</p>
Verify the network interface is active, has been assigned an address, and the internet is reachable:</p>
ip addr</span></span>
ping -c 5 chimera-linux.org</span></span></code></pre>Remote login to installer</h3>
Make this manual installation process easier (i.e. cut-n-paste commands) by remotely logging into the installer via ssh</code> from another computer.</p>
Start the sshd</code> daemon:</p>
dinitctl start sshd</span></span></code></pre>
Switch to the other computer and ssh</code> into the target device as anon:chimera</code>:</p>
ssh anon@[ip_address]</span></span></code></pre>
... where [ip_address]</code> is the target device’s address obtained with the ip addr</code> command above.</p>
Switch to root</code>:</p>
doas -s</span></span></code></pre>Define ID variable</h3>
File /etc/os-release</code> defines variables that describe the current operating system. Use the $ID</code> variable to set the short name of the Linux distribution in later commands:</p>
. /etc/os-release && export ID && echo $ID</span></span></code></pre>Generate hostid</h3>
Generate hostid</code> hexadecimal identifier for use by ZFSBootMenu:</p>
zgenhostid "$(hostid)" && hostid</span></span></code></pre>
NOTE</strong>

Musl doesn't read /etc/hostid</code> and will always display 00000000</code>. Its not an issue.</a></p>
3. Prepare the DISK</h2>
Set up a custom partition layout on a single disk before implementing the Chimera base installation.</p>
Install:</p>
apk update && apk add --no-interactive gptfdisk parted</span></span></code></pre>Define DISK variables</h3>
Identify the disk where Chimera will be installed by listing block devices:</p>
lsblk -f</span></span></code></pre>
Set DISK variables for either a SATA or NVMe disk:</p>
SATA</h4>
Example disk: sda</code></p>
export DISK="/dev/sda"</span></span>
export ESP_PART="1"</span></span>
export SWAP_PART="2"</span></span>
export POOL_PART="3"</span></span>
export ESP_DEVICE="${DISK}${ESP_PART}"</span></span>
export SWAP_DEVICE="${DISK}${SWAP_PART}"</span></span>
export POOL_DEVICE="${DISK}${POOL_PART}"</span></span>
echo $ESP_DEVICE && echo $SWAP_DEVICE && echo $POOL_DEVICE</span></span></code></pre>NVMe</h4>
Example disk: nvme0n1</code></p>
export DISK="/dev/nvme0n1"</span></span>
export ESP_PART="1"</span></span>
export SWAP_PART="2"</span></span>
export POOL_PART="3"</span></span>
export ESP_DEVICE="${DISK}p${ESP_PART}"</span></span>
export SWAP_DEVICE="${DISK}p${SWAP_PART}"</span></span>
export POOL_DEVICE="${DISK}p${POOL_PART}"</span></span>
echo $ESP_DEVICE && echo $SWAP_DEVICE && echo $POOL_DEVICE</span></span></code></pre>Wipe DISK</h3>
If there was previously a ZFS pool on DISK, run:</p>
zpool labelclear -f $DISK</span></span></code></pre>
If DISK was previously configured with LVM, bring down the volume group:</p>
vgchange -an</span></span></code></pre>
Wipe existing file systems and partition table on DISK:</p>
wipefs -af $DISK && sgdisk --zap-all --clear $DISK</span></span></code></pre>
Notify the system of changes to the partition table:</p>
partprobe $DISK</span></span></code></pre>Partition DISK</h3>
NOTE</strong>

Many partitioning guides assign 256-512M of space to the EFI system partition. I like to future-proof the partition for whatever else Linux might want to store there by assigning a more generous 2G of space.</p>
Create a GPT partition table on DISK with the following layout:</p>
Number</th> Size</th> Code</th> Format</th> Use as</th> Mountpoint</th></tr></thead>

1</td> 2g</td> ef00</td> vfat</td> EFI system partition</td> /boot/efi</td></tr>
2</td> 8g</td> 8200</td> swap</td> Swap partition</td> (not applicable)</td></tr>
3</td> ->END</td> bf00</td> zfs</td> ZFS pool partition</td> /</td></tr>
</tbody></table>
Create the EFI system partition:</p>
sgdisk -n "${ESP_PART}:1m:+2g" -t "${ESP_PART}:ef00" -c 0:esp $DISK</span></span></code></pre>
Create the swap partition:</p>
sgdisk -n "${SWAP_PART}:0:+8g" -t "${SWAP_PART}:8200" -c 0:swap $DISK</span></span></code></pre>
Create the ZFS pool partition:</p>
sgdisk -n "${POOL_PART}:0:0" -t "${POOL_PART}:bf00" -c 0:pool $DISK</span></span></code></pre>
Display DISK layout:</p>
partprobe $DISK && sgdisk -p $DISK</span></span></code></pre>4. ZFS Pool Creation</h2>
When adding disks or partitions to ZFS pools, its good practice to refer to them by the symbolic links created in /dev/disk/by-partuuid</code> (UEFI) so that ZFS will identify the right devices even if disk naming should change at some point. Using traditional device nodes like /dev/sda2</code> may cause intermittent import failures.</p>
So I create a POOL_ID</code> variable:</p>
POOL_ID=/dev/disk/by-partuuid/$( blkid -s PARTUUID -o value $POOL_DEVICE )</span></span></code></pre>
Verify:</p>
ls -al /dev/disk/by-partuuid/ && echo "POOL_ID = $POOL_ID"</span></span></code></pre>Create encryption keyfile</h3>
Store the encryption passphrase for the ZFS pool in a keyfile:</p>
echo 'SuperSecretPassphrase' > /etc/zfs/zroot.key</span></span>
chmod 000 /etc/zfs/zroot.key</span></span></code></pre>Create encrypted ZFS pool</h3>
Create the pool with native encryption enabled:</p>
zpool create -f \</span></span>
 -o ashift=12 \</span></span>
 -o autotrim=on \</span></span>
 -o compatibility=openzfs-2.3-linux \</span></span>
 -O acltype=posixacl \</span></span>
 -O xattr=sa \</span></span>
 -O compression=lz4 \</span></span>
 -O encryption=aes-256-gcm \</span></span>
 -O keylocation=file:///etc/zfs/zroot.key \</span></span>
 -O keyformat=passphrase \</span></span>
 -O relatime=on \</span></span>
 -m none zroot "$POOL_ID"</span></span></code></pre>Create ZFS datasets</h3>
NOTE</strong>

It is necessary to explicitly set the canmount=noauto</code> on every boot environment you create.</p>
zfs create -o mountpoint=none zroot/ROOT</span></span>
zfs create -o mountpoint=/ -o canmount=noauto zroot/ROOT/${ID}</span></span></code></pre>
Set the preferred boot file system:</p>
zpool set bootfs=zroot/ROOT/${ID} zroot</span></span></code></pre>
I create an additional home</code> dataset for each system:</p>
zfs create zroot/ROOT/${ID}/home</span></span></code></pre>
This allows me to keep user config files unique to each boot environment that I might create in the future. It also separates user data from system data, which is useful for ZFS snapshots and enables system rollbacks while leaving user data untouched.</p>
To share data between boot environments, I create a data</code> dataset to store common files:</p>
zfs create -o mountpoint=/data zroot/data</span></span></code></pre>Export and re-import pool for installation</h3>
zpool export zroot</span></span>
zpool import -N -R /mnt zroot</span></span>
zfs load-key -L prompt zroot</span></span></code></pre>
Mount datasets:</p>
zfs mount zroot/ROOT/${ID}</span></span>
zfs mount zroot/ROOT/${ID}/home</span></span>
zfs mount zroot/data</span></span></code></pre>
Verify:</p>
# mount -t zfs</span></span>
zroot/ROOT/chimera on /mnt type zfs (rw,relatime,xattr,posixacl,casesensitive)</span></span>
zroot/ROOT/chimera/home on /mnt/home type zfs (rw,relatime,xattr,posixacl,casesensitive)</span></span>
zroot/data on /mnt/data type zfs (rw,relatime,xattr,posixacl,casesensitive)</span></span></code></pre>
Update device symlinks:</p>
udevadm trigger</span></span></code></pre>5. Installation</h2>
Install the base system:</p>
chimera-bootstrap /mnt</span></span></code></pre>
Copy files into the new operating system:</p>
cp /etc/hostid /mnt/etc/</span></span>
mkdir /mnt/etc/zfs && cp /etc/zfs/zroot.key /mnt/etc/zfs/</span></span></code></pre>6. Configure the New System</h2>
Chroot into the freshly installed Chimera and configure the base system.</p>
Enter chroot</h3>
chimera-chroot /mnt</span></span></code></pre>Set root password</h3>
passwd</span></span></code></pre>Create superuser</h3>
Create a user account with superuser privileges:</p>
useradd -m -G wheel [username]</span></span></code></pre>
... where [username]</code> is the desired name for the account.</p>
Set a password for [username]</code>:</p>
passwd [username]</span></span></code></pre>
(Optional) Give root</code> access to [username]</code> with no password using the doas</code> command:</p>
echo 'permit nopass keepenv [username]' >> /etc/doas.conf</span></span></code></pre>Package manager and extra packages</h3>
Add the user</code> subrepo and sync mirrors:</p>
apk add --no-interactive chimera-repo-user && apk update</span></span></code></pre>
Identify the processor vendor:</p>
grep vendor_id /proc/cpuinfo</span></span></code></pre>
Define a variable for an appropriate microcode package to load updates and security fixes:</p>
UCODE="[vendor]"</span></span></code></pre>
... where [vendor]</code> for Intel processors is ucode-intel</code> and AMD processors is ucode-amd</code>.</p>
Install:</p>
apk add --no-interactive $UCODE linux-lts-zfs-bin cryptsetup cryptsetup-scripts-initramfs-tools curl efibootmgr font-terminus</span></span></code></pre>Set console font</h3>
NOTE</strong>

For terminus</code> font settings, see /usr/share/consolefonts/README.Lat2-Terminus16</code> for details.</p>
Chimera uses the same console-setup</code> system as Debian.</p>
Example: Use TerminusBold</code> as the console font and increase font size by modifying /etc/default/console-setup</code>:</p>
ACTIVE_CONSOLES="/dev/tty[1-6]"</span></span>
</span>
CHARMAP="UTF-8"</span></span>
</span>
CODESET=guess</span></span>
FONTFACE=TerminusBold</span></span>
FONTSIZE=14x28</span></span></code></pre>Set console keyboard</h3>
Default keyboard is us</code>. If a keymap alternative is desired, see keyboard(5)</code> for options.</p>
Example: I like to use the colemak</code> keymap (available in /usr/share/keymaps/i386/colemak</code>), which I set by modifying /etc/default/keyboard</code>:</p>
KMAP=colemak/en-latin9</span></span>
</span>
XKBMODEL=pc105</span></span>
XKBLAYOUT=us</span></span></code></pre>Set timezone</h3>
Timezones are located in /usr/share/zoneinfo/[Region]/[City]</code>, where [Region]</code> is the geographical region (Africa, America, Europe, ...) and the [City]</code> within that region.</p>
Example: Create the /etc/localtime</code> symbolic link to the timezone where Toronto</code> is located:</p>
ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime && date</span></span></code></pre>Assign hostname</h3>
Create the hostname</code> file:</p>
echo [hostname] > /etc/hostname</span></span></code></pre>
... where [hostname]</code> is the desired name of the system (single word, no spaces):</p>
echo chimeralinux > /etc/hostname</span></span></code></pre>Enable services</h3>
Links to services enabled by the admin are in /etc/dinit.d/boot.d/</code>.</p>
Default logging system on Chimera is syslog-ng</code>.</p>
Enable the service:</p>
dinitctl -o enable syslog-ng</span></span></code></pre>
Logs are written to /var/log/messages</code>.</p>
You can configure wired networks statically or dynamically with dhcpcd</code>.</p>
Enable the service:</p>
dinitctl -o enable dhcpcd</span></span></code></pre>
Default activity is for dhcpcd</code> to configure all interfaces with DHCP. Changes are made in /etc/dhcpcd.conf</code>. See dhcpcd.conf(5)</code> for more details.</p>
Enable the sshd</code> service to allow remote logins:</p>
dinitctl -o enable sshd</span></span></code></pre>Format and mount ESP partition</h3>
NOTE</strong>

Labels on file systems are optional, but helpful. They are a more reliable way to identify the correct partition than simple device nodes and allow for easy mounting without a UUID.</p>
Create a fat32</code> file system:</p>
mkfs.fat -n ESP -F 32 $ESP_DEVICE</span></span></code></pre>
Mount device:</p>
mount --mkdir $ESP_DEVICE /boot/efi</span></span></code></pre>
Add partition to fstab</code>:</p>
echo 'LABEL=ESP /boot/efi vfat defaults 0 0' >> /etc/fstab</span></span></code></pre>Enable swap encryption</h3>
Using raw dm-crypt</code> enables the system to generate a random, one-time encryption key at boot that requires no action from the user to encrypt swap</code>. At shutdown the key is discarded, rendering any remaining data effectively destroyed.</p>
To allow the use of a label (as previously done with the ESP) to identify the swap partition that can survive an overwrite, a swap offset</a> can be used. Create this offset by writing a tiny, empty file system on SWAP_DEVICE whose sole purpose is to provide a persistent label for swap creation:</p>
mkfs.ext2 -L cryptswap $SWAP_DEVICE 1M</span></span></code></pre>
Configure dm-crypt</code> to set up swap on this cryptswap</code> partition at boot by adding an entry to crypttab</code>:</p>
echo 'swap LABEL=cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096' >> /etc/crypttab</span></span></code></pre>
Add swap device to fstab</code>:</p>
echo '/dev/mapper/swap none swap defaults 0 0' >> /etc/fstab</span></span></code></pre>Regenerate initramfs</h3>
Encryption key is stored in /etc/zfs</code> and will automatically be copied into the initramfs.</p>
Set UMASK=0077</code> as default permissions for newly created files and directories:</p>
mkdir -p /etc/initramfs-tools/conf.d</span></span>
echo 'UMASK=0077' > /etc/initramfs-tools/conf.d/umask.conf</span></span></code></pre>
... and set RESUME=none</code> to disable the cryptsetup</code> command from checking/warning about the lack of hibernate/resume support in our swap partition:</p>
echo 'RESUME=none' > /etc/initramfs-tools/conf.d/resume</span></span></code></pre>
Regenerate:</p>
update-initramfs -u -k all</span></span></code></pre>
Any warning messages along the lines of:</p>
cryptsetup: WARNING: Couldn't determine root device</span></span></code></pre>
... can be safely ignored. In this instance the script is looking for a root mapping that doesn't exit (root encryption is handled in ZFS).</p>
7. ZFSBootMenu</h2>
Install the ZBM bootloader to support Root-on-ZFS</strong> boot environments on Linux.</p>
Boot properties</h3>
NOTE</strong>

Add the hibernate=no</code> argument to ensure that no process can trigger a suspend-to-disk action, which is consistent with the goal of using an ephemeral, random-key swap.</p>
Assign command-line arguments to be used when booting the kernel:</p>
zfs set org.zfsbootmenu:commandline="quiet hibernate=no" zroot/ROOT</span></span></code></pre>
Configure key caching:</p>
zfs set org.zfsbootmenu:keysource="zroot/ROOT/${ID}" zroot</span></span></code></pre>Prebuilt executable</h3>
Install a prebuilt ZBM executable to the ESP:</p>
mkdir -p /boot/efi/EFI/ZBM</span></span>
curl -o /boot/efi/EFI/ZBM/VMLINUZ.EFI -L https://get.zfsbootmenu.org/efi</span></span>
cp /boot/efi/EFI/ZBM/VMLINUZ.EFI /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI</span></span></code></pre>EFI boot entries</h3>
efibootmgr -c -d "$DISK" -p "$ESP_PART" -L "ZFSBootMenu (Backup)" -l '\EFI\ZBM\VMLINUZ-BACKUP.EFI'</span></span>
efibootmgr -c -d "$DISK" -p "$ESP_PART" -L "ZFSBootMenu" -l '\EFI\ZBM\VMLINUZ.EFI'</span></span></code></pre>8. Finish Up</h2>
Exit chroot, unmount, and export</h3>
Exit chroot:</p>
exit</span></span></code></pre>
Unmount everything:</p>
umount /mnt/home && umount /mnt/data && umount /mnt/boot/efi && umount -n -R /mnt</span></span></code></pre>
Export the zpool:</p>
zpool export zroot</span></span></code></pre>Reboot</h3>
reboot</span></span></code></pre>
NOTE</strong>

When prompted for passphrase to unlock zpool, keymap is us</code> regardless of keymap that might have been set on system.</p>
User is prompted for the passphrase to unlock the encrypted root partition. Upon success, boot resumes:</p>
chimeralinux login:</span></span></code></pre>
Welcome to Chimera!</strong></p>
9. Resources</h2>

ZFSBootMenu: Chimera Linux Guide</a></li>
Chimera Linux: Installation Guide</a></li>
OpenZFS Man Pages: zpoolprops.7</a> and zfsprops.7</a></li>
Practical ZFS: Linux home directory on ZFS</a></li>
Arch Linux Wiki: Persistent block device naming</a> and swap encryption</a></li>
</ul>
Next: Chimera Linux: After the First Boot</em> (TODO)</p>

You can like, share, or comment on this post on the Fediverse</a> 💬
</p>


NetBSD Installation with Disk Encryption
Sun, 12 Apr 2026 00:00:00 +0000
The first time I installed NetBSD</a> I used sysinst(8)</a>, a menu-based program launched at boot that runs in the console. It has a clear and concise layout and I was quickly up-and-running on my new BSD</a> system.</p>
For my next</strong> install I wanted to include disk encryption</strong> to protect personal data in case the device is lost or stolen. Its not really enough to simply encrypt home directories. Passphrases and sensitive data can linger and be extracted from locations such as system logs and swap memory. There is a trade-off to be made between how much to encrypt, the convenience of operating the system, and the ability for the system to boot.</p>


1. Start Here</a>

Acquire an installation image</a></li>
Prepare the USB installation medium</a></li>
</ul>
</li>
2. Configure the Live Environment</a>

Connect to the internet</a></li>
Remote login to the installer</a></li>
</ul>
</li>
3. Prepare the DISK</a>

Identify disks and partitions</a></li>
Define DISK variable</a></li>
Wipe DISK</a></li>
Partition DISK</a></li>
Define wedge variables</a></li>
Format and mount the ESP wedge</a></li>
Add EFI boot entries to ESP</a></li>
Format and mount the root wedge</a></li>
</ul>
</li>
4. Disk Encryption</a>

Create encrypted device</a></li>
Create disklabels</a></li>
Verify encrypted device</a></li>
Format and mount disklabels</a></li>
</ul>
</li>
5. Installation</a></li>
6. Configure the System</a>

Chroot</a></li>
Directories</a></li>
Devices</a></li>
Root password</a></li>
Superuser</a></li>
Fstab</a></li>
Startup</a></li>
Keyboard</a></li>
Timezone</a></li>
Network interface</a></li>
Terminals</a></li>
</ul>
</li>
7. Finish Up</a></li>
8. Resources</a></li>
</ul>

1. Start Here</h2>
Throughout this HOWTO, if you see square brackets []</code> in code blocks, that means the word of code (square brackets included) should be replaced with something else. This is detailed in the instructions before or after the code block.</p>
NetBSD will be installed as the sole operating system on a single disk using a four-partition layout:</p>

Partition ESP</code> is the EFI system partition.</li>
Partition root</code> hosts a minimal root filesystem that boots to an encryption passphrase prompt, which upon entry unlocks...</li>
... the encrypted device on partition syscgd</code> containing the contents of var</code>, usr</code>, and home</code>.</li>
Partition swap</code> is swap memory auto-encrypted at boot using a random key.</li>
</ul>
A few assumptions:</p>

Target device is amd64</code> architecture using UEFI to boot.</li>
Secure boot is disabled on target device.</li>
Network access during install uses a wired interface.</li>
</ul>
Sysinst does not provide the option for encrypting the system in this manner, so early in the install process I switch to the console and proceed to manually install NetBSD.</p>
Acquire an installation image</h3>
The latest official installation images (as of April 2026) are available here: Images and torrents</a></p>
Download the NetBSD-11.0_RC3-amd64-install.img.gz</code> image and the SHA512</code> file for verification:</p>
wget https://cdn.netbsd.org/pub/NetBSD/images/11.0_RC3/NetBSD-11.0_RC3-amd64-install.img.gz</span></span>
wget https://cdn.netbsd.org/pub/NetBSD/images/11.0_RC3/SHA512</span></span></code></pre>
Verify the image using sha512sum</code>:</p>
sha512sum -c --ignore-missing SHA512 </span></span></code></pre>
Decompress the image:</p>
gunzip NetBSD-11.0_RC3-amd64-install.img.gz</span></span></code></pre>Prepare the USB installation medium</h3>
Write the installer to an unmounted</strong> USB storage device running the dd(1)</a> command as root</code>.</p>
WARNING</strong>

Be very careful to note the proper device (which can be identified with lsblk</code>). All contents on the device will be lost!</strong></p>
Example: On a Linux system, if a USB stick appears as sdx1</code>, then write the installer to sdx</code> (omit partition number):</p>
dd bs=4M conv=fsync oflag=direct status=progress if=NetBSD-11.0_RC3-amd64-install.img of=/dev/sdx</span></span></code></pre>2. Configure the Live Environment</h2>
Boot the target device from the NetBSD installation medium. Select Option 1</code> (default) to Install NetBSD</code>.</p>
After the installer has successfully booted into the NetBSD kernel, a prompt appears to select which language</strong> will be used for installation messages, followed by a prompt to select a different keyboard type</strong> if desired or leave unchanged.</p>
Next up the menu-based sysinst</strong> program is launched:</p>
NetBSD-11.0_RC3 Install System</span></span>
</span>
>a: Install NetBSD to hard disk</span></span>
 b: Upgrade NetBSD on a hard disk</span></span>
 c: Re-install sets or install additional sets</span></span>
 d: Reboot the computer</span></span>
 e: Utility menu</span></span>
 f: Config menu</span></span>
 x: Exit Install System</span></span></code></pre>Connect to the internet</h3>
At the Install System</code> main menu, select >e: Utility menu</code> then >c: Configure network</code>.</p>
Available interfaces</code> lists the network interfaces detected by the NetBSD installer.</p>
Example: With my target device Available interfaces</code> lists two: wm0</code> (wired) and iwn0</code> (wireless). I choose to configure the wired ethernet interface:</p>
Network media (empty to autoconfigure) [autoselect]: <enter></span></span>
Perform autoconfiguration?</span></span>
>a: Yes</span></span>
Your host name: foobox</span></span>
Your DNS domain: home.arpa</span></span>
The following are the values you entered.</span></span>
</span>
[...]</span></span>
</span>
Are they OK?</span></span>
>a: Yes</span></span></code></pre>Remote login to the installer</h3>
Make this manual installation process easier (i.e. cut-n-paste commands) by remotely logging into the installer via ssh</code> from another computer.</p>
Open a shell by selecting >a: Run /bin/sh</code> from the Utilities</code> menu.</p>
Set a password for root</code>:</p>
passwd</span></span></code></pre>
Open the sshd_config</code> file for editing using the vi</code> editor:</p>
vi /etc/ssh/sshd_config</span></span></code></pre>
Set permission to allow root</code> to login:</p>
PermitRootLogin yes</span></span></code></pre>
Save changes and exit.</p>
Start the sshd</code> daemon:</p>
/etc/rc.d/sshd onestart</span></span></code></pre>
Retrieve the IP address for the active interface configured earlier (example: wm0</code>):</p>
ifconfig wm0</span></span></code></pre>
Switch to the other computer and ssh</code> into the target device:</p>
ssh root@[ip_address]</span></span></code></pre>
... where [ip_address]</code> is the target device's address obtained with the ifconfig</code> command above.</p>
3. Prepare the DISK</h2>
NOTE</strong>

For the purposes of this HOWTO, the example target device has a single NVMe disk with an existing install of Linux</a> that will be erased and replaced by NetBSD. Device IDs and storage sizes will vary between devices.</p>
Identify disks and partitions</h3>
Discover what disk devices and partitions have been recognized by the kernel:</p>
# sysctl hw.disknames</span></span>
hw.disknames = ld0 dk0 dk1 dk2 dk3 sd0 dk4 dk5</span></span></code></pre>
NVMe devices show up as ld</code> and hard disks are identified by wd</code>. USB devices usually show up as sd</code>.</p>
The dk</code> devices are partitions (know as wedges</strong> in NetBSD parlance) on the storage devices, and this early after boot are usually displayed in order, that is: dk0</code> through dk3</code> are wedges on the NVMe target device ld0</code>, and dk4</code> and dk5</code> on the USB installer sd0</code>.</p>
Verify by asking for a list of wedges on sd0</code>:</p>
# dkctl sd0 listwedges</span></span>
/dev/rsd0: 2 wedges:</span></span>
dk4: EFI system, 262144 blocks at 2048, type: msdos</span></span>
dk5: 30c4cc4e-5369-449c-8994-a4b1ea665b4b, 4853760 blocks at 264192, type: ffs</span></span></code></pre>
Verify which device the installer booted from:</p>
# dmesg | fgrep "root on"</span></span>
[     4.158650] root on dk5</span></span></code></pre>
There is also the nvmectl</code> command (use atactl</code> for SATA drives):</p>
# nvmectl identify nvme0 | egrep 'Model|Device type|Capacity'</span></span>
Model Number:               Samsung SSD 980 1TB</span></span></code></pre>Define DISK variable</h3>
The NVMe storage device detected above as ld0</code> is where NetBSD will be installed. Adjust accordingly for your own storage device:</p>
DISK="ld0"</span></span></code></pre>Wipe DISK</h3>
Wipe existing file systems and partition table on DISK:</p>
gpt destroy $DISK && gpt show $DISK</span></span></code></pre>Partition DISK</h3>
NOTE</strong>

I typically set the swap partition size equal to the amount of physical RAM to a maximum 16g</code>.</p>
Create a GPT partition table on DISK with the following layout:</p>
Number</th> Size</th> Type</th> Use as</th></tr></thead>

1</td> 550m</td> efi</td> ESP partition</td></tr>
2</td> 6g</td> ffs</td> Root partition</td></tr>
3</td> 16g</td> swap</td> Encrypted swap partition</td></tr>
4</td> ->END</td> cgd</td> Encrypted system partition</td></tr>
</tbody></table>
Create a new GPT partition table:</p>
gpt create -f $DISK</span></span></code></pre>
Create the wedges:</p>
gpt add -l "ESP" -t efi -s 550m $DISK</span></span>
gpt add -l "root" -t ffs -s 6g $DISK</span></span>
gpt add -l "swap" -t swap -s 16g $DISK</span></span>
gpt add -l "syscgd" -t cgd $DISK</span></span>
gpt show $DISK</span></span></code></pre>Define wedge variables</h3>
List wedges:</p>
# dkctl $DISK listwedges</span></span>
/dev/rld0: 4 wedges:</span></span>
dk2: ESP, 524288 blocks at 34, type: msdos</span></span>
dk3: root, 16777216 blocks at 524322, type: ffs</span></span>
dk4: swap, 33554432 blocks at 17301538, type: swap</span></span>
dk5: syscgd, 1902669165 blocks at 50855970, type: cgd</span></span></code></pre>
NOTE</strong>

Your dk[number]</code> numbering may differ from above. Adjust accordingly:</p>
Define variables:</p>
DK_ESP="dk2"</span></span>
DK_ROOT="dk3"</span></span></code></pre>Format and mount the ESP wedge</h3>
newfs_msdos /dev/r${DK_ESP} && mount /dev/${DK_ESP} /mnt</span></span></code></pre>Add EFI boot entries to ESP</h3>
mkdir -p /mnt/EFI/boot && cp -v /usr/mdec/*.efi /mnt/EFI/boot</span></span></code></pre>
Unmount wedge:</p>
umount /mnt</span></span></code></pre>Format and mount the root wedge</h3>
Format and mount the root wedge with the FFSv2</code> file system with support for extended attributes and access control lists:</p>
newfs -O 2ea /dev/r${DK_ROOT} && mount /dev/${DK_ROOT} /targetroot</span></span></code></pre>4. Disk Encryption</h2>
NetBSD uses the cryptographic device driver</a> (CGD) to create and manage encrypted devices.</p>
Create encrypted device</h3>
Using cgdconfig</code>, a parameters file is generated that stores the encryption type, key length, and a random password salt for the new encrypted device.</p>
There are a few different encryption ciphers supported</a>. I choose aes-xts</code> with a 512-bit key:</p>
mkdir -p /targetroot/etc/cgd && chmod 700 /targetroot/etc/cgd</span></span>
cgdconfig -g -V disklabel -o /targetroot/etc/cgd/syscgd aes-xts 512</span></span></code></pre>
NOTE</strong>

NAME=syscgd</code> is the label for the CGD wedge created earlier.</p>
Create the encrypted device and assign it a passphrase. This passphrase will be used to open the CGD device at boot:</p>
cgdconfig -V re-enter cgd0 NAME=syscgd /targetroot/etc/cgd/syscgd</span></span></code></pre>Create disklabels</h3>
NOTE</strong>

Disklabels c</code> and d</code> have special meaning in NetBSD</a> and should not be used.</p>
Within the encrypted device, three disklabels are created:</p>
Disklabel</th> Mountpoint</th> Size</th></tr></thead>

cgd0a</td> /var</td> 8GB</td></tr>
cgd0b</td> /usr</td> 48GB</td></tr>
cgd0e</td> /home</td> ->END</td></tr>
</tbody></table>
Create the labels using disklabel</code> in interactive mode:</p>
# disklabel -Ii cgd0</span></span>
Enter '?' for help</span></span>
...</span></span></code></pre>
Create cgd0a</code>:</p>
partition>a</span></span>
Filesystem type [4.2BSD]: <enter></span></span>
Start offset ('x' to start after partition 'x') [0c, 0s, 0M]: <enter></span></span>
Partition size ('$' for all remaining) [947594c, 1940672512s, 947594M]: 8G</span></span>
  a: ...</span></span></code></pre>
Create cgd0b</code>:</p>
partition>b</span></span>
Filesystem type [unused]: 4.2BSD</span></span>
Start offset ('x' to start after partition 'x') [0c, 0s, 0M]: a</span></span>
Partition size ('$' for all remaining) [0c, 0s, 0M]: 48G    </span></span>
  b: ...</span></span></code></pre>
Create cgd0e</code>:</p>
partition>e</span></span>
Filesystem type [unused]: 4.2BSD</span></span>
Start offset ('x' to start after partition 'x') [0c, 0s, 0M]: b</span></span>
Partition size ('$' for all remaining) [0c, 0s, 0M]: $</span></span>
 e: ...</span></span></code></pre>
Write the label and quit:</p>
partition>W</span></span>
Label disk [n]?y</span></span>
Label written</span></span>
partition>Q</span></span></code></pre>Verify encrypted device</h3>
Set configuration in target device:</p>
echo 'cgd0 NAME=syscgd /etc/cgd/syscgd' > /targetroot/etc/cgd/cgd.conf</span></span></code></pre>
Close the CGD device:</p>
cgdconfig -u cgd0</span></span></code></pre>
Unlock the CGD device again with the passphrase set earlier:</p>
cgdconfig cgd0 NAME=syscgd /targetroot/etc/cgd/syscgd</span></span></code></pre>
The cgd0</code> drive should now be open and the disklabel visible:</p>
disklabel cgd0</span></span></code></pre>Format and mount disklabels</h3>
Format:</p>
newfs -O 2ea cgd0a</span></span>
newfs -O 2ea cgd0b</span></span>
newfs -O 2ea cgd0e</span></span></code></pre>
Mount:</p>
mkdir /targetroot/var /targetroot/usr /targetroot/home</span></span>
mount /dev/cgd0a /targetroot/var</span></span>
mount /dev/cgd0b /targetroot/usr</span></span>
mount /dev/cgd0e /targetroot/home</span></span></code></pre>5. Installation</h2>
The new system is composed of sets</strong> (collections of packages) installed to the target device. These sets are located in /amd64/binary/sets</code>. Move into that directory:</p>
cd /amd64/binary/sets && ls</span></span></code></pre>
NOTE</strong>

Adding flag p</code> to the tar</code> command is important. It ensures that all files preserve their owners</code> and mode</code>.</p>
At a minimum, you must select a kernel and the base</code> and etc</code> sets. Below are the sets I choose to install for a desktop setup:</p>
# for set in base comp etc games gpufw kern-GENERIC man misc modules rescue tests text xbase xcomp xetc xfont xserver; do</span></span>
> tar -xvzpf $set.tar.xz -C /targetroot</span></span>
> done</span></span></code></pre>6. Configure the System</h2>
Chroot into the freshly installed NetBSD and configure the new OS.</p>
Chroot</h3>
chroot /targetroot</span></span></code></pre>Directories</h3>
Create the kern</code> and proc</code> directories:</p>
mkdir kern proc</span></span></code></pre>Devices</h3>
cd dev</span></span>
sh MAKEDEV all</span></span></code></pre>
On a previous install, after rebooting the boot process halted with the error message:</p>
/etc/defaults/rc.conf: cannot create /dev/null: read-only file system</span></span>
/etc/rc: cannot create /dev/null: read-only file system</span></span></code></pre>
MAKEDEV</code> had created null</code> but it was incorrectly configured:</p>
# ls -l /dev/null</span></span>
-rw-r--r--  1 root  wheel  0 Apr  5 13:06 null</span></span></code></pre>
To avoid this error, remove the existing null</code>:</p>
rm /dev/null</span></span></code></pre>
Re-create null</code> with mknod</code>:</p>
# mknod -m 0666 -u root -g wheel /dev/null c 2 2 && ls -l /dev/null</span></span>
crw-rw-rw-  1 root  wheel  2, 2 Apr 11 13:10 /dev/null</span></span></code></pre>Root password</h3>
passwd</span></span></code></pre>Superuser</h3>
Create a user account assigned to the wheel</code> and operator</code> groups:</p>
useradd -G [groups] -m [username]</span></span></code></pre>
Example: Create an account for user foo</code> and assign a password:</p>
useradd -G wheel,operator -m foo</span></span>
passwd foo</span></span>
userinfo foo</span></span></code></pre>Fstab</h3>
# cat > /etc/fstab << EOF</span></span>
NAME=root         /         ffs     rw,log,noatime  	1 1</span></span>
NAME=swap         none      swap    sw,dp   		0 0</span></span>
tmpfs             /tmp      tmpfs   rw,-m1777,-sram%25</span></span>
kernfs            /kern     kernfs  rw</span></span>
ptyfs             /dev/pts  ptyfs   rw</span></span>
procfs            /proc     procfs  rw</span></span>
tmpfs             /var/shm  tmpfs   rw,-m1777,-sram%25</span></span>
/dev/cgd0a        /var      ffs     rw,log,noatime      1 2</span></span>
/dev/cgd0b        /usr      ffs     rw,log,noatime      1 2</span></span>
/dev/cgd0e        /home     ffs     rw,log,noatime      1 2 </span></span>
EOF</span></span></code></pre>Startup</h3>
Open rc.conf</code> for editing:</p>
vi /etc/rc.conf</span></span></code></pre>
NOTE</strong>

In this HOWTO, my hostname was earlier set to foobox.home.arpa</code> during network setup, and my wired interface is wm0</code>. Adjust accordingly:</p>
# If this is not set to YES, the system will drop into single-user mode.</span></span>
#</span></span>
rc_configured=YES</span></span>
</span>
# Add local overrides below.</span></span>
#</span></span>
# Wait for CGD to be unlocked before mounting.</span></span>
critical_filesystems_local="OPTIONAL:/var OPTIONAL:/usr"</span></span>
dhcpcd=YES</span></span>
dhcpcd_flags="-qM wm0"</span></span>
hostname=foobox.home.arpa</span></span>
sshd=YES</span></span>
ntpd=YES</span></span>
ntpdate=YES</span></span>
wscons=YES</span></span>
cgd=YES</span></span></code></pre>
Save changes and exit.</p>
NOTE</strong>

Any Error: /dev/ttyp0: No such file or directory</code> messages can be safely ignored.</p>
Keyboard</h3>
A full list of keyboard mappings and variants can be found in wskbd(4)</a>.</p>
Set encoding [type_of_keyboard]</code> in wscons.conf</code>.</p>
Open file for editing:</p>
vi /etc/wscons.conf</span></span></code></pre>
Example: I use the non-default colemak</code> keymap:</p>
encoding us.colemak</span></span></code></pre>
Save changes and exit.</p>
Timezone</h3>
Create a symlink to the appropriate timezone for your localtime</code>:</p>
ln -sf /usr/share/zoneinfo/[region/<city_or_sub-region] /etc/localtime</span></span></code></pre>
Example: Set localtime</code> to Canada/Eastern</code>:</p>
ln -sf /usr/share/zoneinfo/Canada/Eastern /etc/localtime && date</span></span></code></pre>Network interface</h3>
ifconfig.if(5)</a> contains the configuration details for each network interface.</p>
Example: Create an interface file for the wm0</code> interface that is assigned an IP address via DHCP:</p>
# cat > /etc/ifconfig.wm0 << EOF</span></span>
up</span></span>
media autoselect</span></span>
EOF</span></span></code></pre>Terminals</h3>
Set the status of terminals ttyE1-ttyE3</code> in ttys</code> from off</code> to on</code>.</p>
Open file for editing:</p>
vi /etc/ttys</span></span></code></pre>
This is how it should look:</p>
# name  getty                           type    status          comments</span></span>
#</span></span>
console "/usr/libexec/getty Pc"         wsvt25  off secure</span></span>
constty "/usr/libexec/getty Pc"         wsvt25  on secure</span></span>
ttyE0   "/usr/libexec/getty Pc"         wsvt25  off secure</span></span>
ttyE1   "/usr/libexec/getty Pc"         wsvt25  on secure</span></span>
ttyE2   "/usr/libexec/getty Pc"         wsvt25  on secure</span></span>
ttyE3   "/usr/libexec/getty Pc"         wsvt25  on secure</span></span></code></pre>
Save changes and exit.</p>
7. Finish Up</h2>
Exit chroot:</p>
exit</span></span>
cd /</span></span></code></pre>
Unmount:</p>
umount /targetroot/home</span></span>
umount /targetroot/usr</span></span>
umount /targetroot/var</span></span>
umount /targetroot</span></span></code></pre>
Close encrypted device:</p>
cgdconfig -u cgd0</span></span></code></pre>
Reboot system:</p>
shutdown -r now</span></span></code></pre>
NOTE</strong>

When prompted for the passphrase to unlock the encrypted device, keymap is us qwerty</code> regardless of keymap that might have been set in wscons.conf</code>.</p>
User is prompted for the passphrase to unlock the encrypted syscgd</code> device. Upon success, boot resumes:</p>
NetBSD/amd64 (foobox.home.arpa) (constty)</span></span>
</span>
login: root</span></span>
Password:</span></span></code></pre>
Welcome to NetBSD!</strong></p>
To shutdown/poweroff the system:</p>
shutdown -p now</span></span></code></pre>8. Resources</h2>

This HOWTO posted by vsis</a> was crucial in getting my own system configured with encryption: NetBSD - UEFI installation with Full Disk Encryption</a></li>
Alternative approach for disk encryption using a ramdisk on BIOS boot systems: NetBSD Full-Disk Encryption with CGD (BIOS/GPT)</a></li>
NetBSD INSTALL: Installation procedure for NetBSD/amd64</a></li>
NetBSD Wiki: Installing NetBSD on a x86 system with UEFI</a></li>
NetBSD Guide: Chapter 14. The cryptographic device driver (CGD)</a></li>
Suggested tools for inspecting disks: Disk management from Installation ISO</a></li>
Skipping sysinst install for a more "hands-on" approach: Manual NetBSD install on GPT/UEFI</a></li>
Swap encryption is now automatic using the vm.swap_encrypt=1</code> sysctl(8)</a> variable: Announcing NetBSD 10.0</a></li>
</ul>
Next: NetBSD: After the First Boot</em> (TODO)</p>

You can like, share, or comment on this post on the Fediverse</a> 💬
</p>

1. Start Here</h2>

2. Create Public and Private Keys</h2>

4. Disable Password Logins</h2>

5. Create an Alias</h2>

6. Keychain</h2>

Create SSH keys</h2>
Create an SSH public/private key pair to facilitate passwordless logins to remote servers and (optional) configure remote access to the localhost. Read More</a></p>

2. Configure the Live Environment</h2>
Boot the target device from the Chimera installation media. Login and password is `root:chimera</code>.</p>`

6. Configure the New System</h2>
Chroot into the freshly installed Chimera and configure the base system.</p>

7. ZFSBootMenu</h2>
Install the ZBM bootloader to support Root-on-ZFS</strong> boot environments on Linux.</p>

8. Finish Up</h2>

NetBSD Installation with Disk Encryption

4. Disk Encryption</h2>
NetBSD uses the cryptographic device driver</a> (CGD) to create and manage encrypted devices.</p>

6. Configure the System</h2>
Chroot into the freshly installed NetBSD and configure the new OS.</p>

Daniel Wayne Armstrong

Make Your Own Fortune

Configure SSH on FreeBSD for Passwordless Logins to Servers

FreeBSD: After the First Boot

Just Enough Chimera Linux

Daniel Wayne Armstrong

Make Your Own Fortune

Customize</h2> Create the my_fortune</code> file (I place mine in ~/.config</code>):</p>

Configure SSH on FreeBSD for Passwordless Logins to Servers

1. Start Here</h2>

On BOTH the CLIENT and the SERVER</h3> Create the .ssh</code> directory and authorized_keys</code> file in $HOME</code>:</p>

2. Create Public and Private Keys</h2>

On the CLIENT</h3> Create the SSH public/private key pair (example: ed25519</code>) protected with a passphrase:</p>

3. Share Public Key</h2>

On the CLIENT</h3> Upload the public key to the SERVER and append to the authorized_keys</code> file:</p>

4. Disable Password Logins</h2>

On the CLIENT</h3> While remaining logged into SERVER, open another terminal and verify the changes by attempting a new login using password authentication (which should fail</strong>):</p>

5. Create an Alias</h2>

On the CLIENT</h3> Create an alias for the SERVER in the user's ssh_config</code>:</p>

6. Keychain</h2>

FreeBSD: After the First Boot

Package management</h2> Package management is one area where the differences between the Linux philosophy and the BSD philosophy about how to build a system becomes apparent.</p>

Alias for root mail</h2> Rather than login to root to collect system mail, I forward the root user's mail to my non-root user's inbox.</p> Open the aliases</code> file for editing:</p>

Message of the day</h2> Quiet the "message of the day" (motd</code>) output after logging into the system by creating an empty .hushlogin</code> file:</p>

Clear system console at logout</h2> For the fish</code> shell I modify config.fish</code>:</p>

Just Enough Chimera Linux

2. Configure the Live Environment</h2> Boot the target device from the Chimera installation media. Login and password is root:chimera</code>.</p>

6. Configure the New System</h2> Chroot into the freshly installed Chimera and configure the base system.</p>

7. ZFSBootMenu</h2> Install the ZBM bootloader to support Root-on-ZFS</strong> boot environments on Linux.</p>

8. Finish Up</h2>

NetBSD Installation with Disk Encryption

4. Disk Encryption</h2> NetBSD uses the cryptographic device driver</a> (CGD) to create and manage encrypted devices.</p>

6. Configure the System</h2> Chroot into the freshly installed NetBSD and configure the new OS.</p>

2. Configure the Live Environment</h2>
Boot the target device from the Chimera installation media. Login and password is `root:chimera</code>.</p>`

6. Configure the New System</h2>
Chroot into the freshly installed Chimera and configure the base system.</p>

7. ZFSBootMenu</h2>
Install the ZBM bootloader to support Root-on-ZFS</strong> boot environments on Linux.</p>

4. Disk Encryption</h2>
NetBSD uses the cryptographic device driver</a> (CGD) to create and manage encrypted devices.</p>

6. Configure the System</h2>
Chroot into the freshly installed NetBSD and configure the new OS.</p>