feed.xml

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Philipp Schmid</title>
    <description>Philipp occasionally writes about things.</description>    
    <link>http://www.schmidp.com</link>
    <atom:link href="http://www.schmidp.com/feed.xml" rel="self" type="application/rss+xml" />
    
      <item>
        <title>Lets revive this :)</title>
        <description>&lt;p&gt;At least I hope this won’t stay empty for another four years…&lt;/p&gt;

&lt;p&gt;Btw, the Lancia is still not finished. It was a much worse buy than originally thought.&lt;/p&gt;

&lt;p&gt;I bought another one btw, this Honda Accord SJ 81 will stay in Bremen:&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2020-01-13-hello/teilchen.jpeg&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Also I witnessed this amazing firework in north korea:&lt;/p&gt;

&lt;iframe width=&quot;560&quot; height=&quot;315&quot; src=&quot;https://www.youtube.com/embed/Gdmvfl7Twpc&quot; frameborder=&quot;0&quot; allow=&quot;accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture&quot; allowfullscreen=&quot;&quot;&gt;&lt;/iframe&gt;

&lt;p&gt;just posting random stuff for fun…&lt;/p&gt;

&lt;blockquote class=&quot;instagram-media&quot; data-instgrm-captioned=&quot;&quot; data-instgrm-permalink=&quot;https://www.instagram.com/p/B7PU316A3zq/?utm_source=ig_embed&amp;amp;utm_campaign=loading&quot; data-instgrm-version=&quot;12&quot; style=&quot; background:#FFF; border:0; border-radius:3px; box-shadow:0 0 1px 0 rgba(0,0,0,0.5),0 1px 10px 0 rgba(0,0,0,0.15); margin: 1px; max-width:540px; min-width:326px; padding:0; width:99.375%; width:-webkit-calc(100% - 2px); width:calc(100% - 2px);&quot;&gt;&lt;div style=&quot;padding:16px;&quot;&gt; &lt;a href=&quot;https://www.instagram.com/p/B7PU316A3zq/?utm_source=ig_embed&amp;amp;utm_campaign=loading&quot; style=&quot; background:#FFFFFF; line-height:0; padding:0 0; text-align:center; text-decoration:none; width:100%;&quot; target=&quot;_blank&quot;&gt; &lt;div style=&quot; display: flex; flex-direction: row; align-items: center;&quot;&gt; &lt;div style=&quot;background-color: #F4F4F4; border-radius: 50%; flex-grow: 0; height: 40px; margin-right: 14px; width: 40px;&quot;&gt;&lt;/div&gt; &lt;div style=&quot;display: flex; flex-direction: column; flex-grow: 1; justify-content: center;&quot;&gt; &lt;div style=&quot; background-color: #F4F4F4; border-radius: 4px; flex-grow: 0; height: 14px; margin-bottom: 6px; width: 100px;&quot;&gt;&lt;/div&gt; &lt;div style=&quot; background-color: #F4F4F4; border-radius: 4px; flex-grow: 0; height: 14px; width: 60px;&quot;&gt;&lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div style=&quot;padding: 19% 0;&quot;&gt;&lt;/div&gt; &lt;div style=&quot;display:block; height:50px; margin:0 auto 12px; width:50px;&quot;&gt;&lt;svg width=&quot;50px&quot; height=&quot;50px&quot; viewBox=&quot;0 0 60 60&quot; version=&quot;1.1&quot; xmlns=&quot;https://www.w3.org/2000/svg&quot; xmlns:xlink=&quot;https://www.w3.org/1999/xlink&quot;&gt;&lt;g stroke=&quot;none&quot; stroke-width=&quot;1&quot; fill=&quot;none&quot; fill-rule=&quot;evenodd&quot;&gt;&lt;g transform=&quot;translate(-511.000000, -20.000000)&quot; fill=&quot;#000000&quot;&gt;&lt;g&gt;&lt;path d=&quot;M556.869,30.41 C554.814,30.41 553.148,32.076 553.148,34.131 C553.148,36.186 554.814,37.852 556.869,37.852 C558.924,37.852 560.59,36.186 560.59,34.131 C560.59,32.076 558.924,30.41 556.869,30.41 M541,60.657 C535.114,60.657 530.342,55.887 530.342,50 C530.342,44.114 535.114,39.342 541,39.342 C546.887,39.342 551.658,44.114 551.658,50 C551.658,55.887 546.887,60.657 541,60.657 M541,33.886 C532.1,33.886 524.886,41.1 524.886,50 C524.886,58.899 532.1,66.113 541,66.113 C549.9,66.113 557.115,58.899 557.115,50 C557.115,41.1 549.9,33.886 541,33.886 M565.378,62.101 C565.244,65.022 564.756,66.606 564.346,67.663 C563.803,69.06 563.154,70.057 562.106,71.106 C561.058,72.155 560.06,72.803 558.662,73.347 C557.607,73.757 556.021,74.244 553.102,74.378 C549.944,74.521 548.997,74.552 541,74.552 C533.003,74.552 532.056,74.521 528.898,74.378 C525.979,74.244 524.393,73.757 523.338,73.347 C521.94,72.803 520.942,72.155 519.894,71.106 C518.846,70.057 518.197,69.06 517.654,67.663 C517.244,66.606 516.755,65.022 516.623,62.101 C516.479,58.943 516.448,57.996 516.448,50 C516.448,42.003 516.479,41.056 516.623,37.899 C516.755,34.978 517.244,33.391 517.654,32.338 C518.197,30.938 518.846,29.942 519.894,28.894 C520.942,27.846 521.94,27.196 523.338,26.654 C524.393,26.244 525.979,25.756 528.898,25.623 C532.057,25.479 533.004,25.448 541,25.448 C548.997,25.448 549.943,25.479 553.102,25.623 C556.021,25.756 557.607,26.244 558.662,26.654 C560.06,27.196 561.058,27.846 562.106,28.894 C563.154,29.942 563.803,30.938 564.346,32.338 C564.756,33.391 565.244,34.978 565.378,37.899 C565.522,41.056 565.552,42.003 565.552,50 C565.552,57.996 565.522,58.943 565.378,62.101 M570.82,37.631 C570.674,34.438 570.167,32.258 569.425,30.349 C568.659,28.377 567.633,26.702 565.965,25.035 C564.297,23.368 562.623,22.342 560.652,21.575 C558.743,20.834 556.562,20.326 553.369,20.18 C550.169,20.033 549.148,20 541,20 C532.853,20 531.831,20.033 528.631,20.18 C525.438,20.326 523.257,20.834 521.349,21.575 C519.376,22.342 517.703,23.368 516.035,25.035 C514.368,26.702 513.342,28.377 512.574,30.349 C511.834,32.258 511.326,34.438 511.181,37.631 C511.035,40.831 511,41.851 511,50 C511,58.147 511.035,59.17 511.181,62.369 C511.326,65.562 511.834,67.743 512.574,69.651 C513.342,71.625 514.368,73.296 516.035,74.965 C517.703,76.634 519.376,77.658 521.349,78.425 C523.257,79.167 525.438,79.673 528.631,79.82 C531.831,79.965 532.853,80.001 541,80.001 C549.148,80.001 550.169,79.965 553.369,79.82 C556.562,79.673 558.743,79.167 560.652,78.425 C562.623,77.658 564.297,76.634 565.965,74.965 C567.633,73.296 568.659,71.625 569.425,69.651 C570.167,67.743 570.674,65.562 570.82,62.369 C570.966,59.17 571,58.147 571,50 C571,41.851 570.966,40.831 570.82,37.631&quot;&gt;&lt;/path&gt;&lt;/g&gt;&lt;/g&gt;&lt;/g&gt;&lt;/svg&gt;&lt;/div&gt;&lt;div style=&quot;padding-top: 8px;&quot;&gt; &lt;div style=&quot; color:#3897f0; font-family:Arial,sans-serif; font-size:14px; font-style:normal; font-weight:550; line-height:18px;&quot;&gt; View this post on Instagram&lt;/div&gt;&lt;/div&gt;&lt;div style=&quot;padding: 12.5% 0;&quot;&gt;&lt;/div&gt; &lt;div style=&quot;display: flex; flex-direction: row; margin-bottom: 14px; align-items: center;&quot;&gt;&lt;div&gt; &lt;div style=&quot;background-color: #F4F4F4; border-radius: 50%; height: 12.5px; width: 12.5px; transform: translateX(0px) translateY(7px);&quot;&gt;&lt;/div&gt; &lt;div style=&quot;background-color: #F4F4F4; height: 12.5px; transform: rotate(-45deg) translateX(3px) translateY(1px); width: 12.5px; flex-grow: 0; margin-right: 14px; margin-left: 2px;&quot;&gt;&lt;/div&gt; &lt;div style=&quot;background-color: #F4F4F4; border-radius: 50%; height: 12.5px; width: 12.5px; transform: translateX(9px) translateY(-18px);&quot;&gt;&lt;/div&gt;&lt;/div&gt;&lt;div style=&quot;margin-left: 8px;&quot;&gt; &lt;div style=&quot; background-color: #F4F4F4; border-radius: 50%; flex-grow: 0; height: 20px; width: 20px;&quot;&gt;&lt;/div&gt; &lt;div style=&quot; width: 0; height: 0; border-top: 2px solid transparent; border-left: 6px solid #f4f4f4; border-bottom: 2px solid transparent; transform: translateX(16px) translateY(-4px) rotate(30deg)&quot;&gt;&lt;/div&gt;&lt;/div&gt;&lt;div style=&quot;margin-left: auto;&quot;&gt; &lt;div style=&quot; width: 0px; border-top: 8px solid #F4F4F4; border-right: 8px solid transparent; transform: translateY(16px);&quot;&gt;&lt;/div&gt; &lt;div style=&quot; background-color: #F4F4F4; flex-grow: 0; height: 12px; width: 16px; transform: translateY(-4px);&quot;&gt;&lt;/div&gt; &lt;div style=&quot; width: 0; height: 0; border-top: 8px solid #F4F4F4; border-left: 8px solid transparent; transform: translateY(-4px) translateX(8px);&quot;&gt;&lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;/a&gt; &lt;p style=&quot; margin:8px 0 0 0; padding:0 4px;&quot;&gt; &lt;a href=&quot;https://www.instagram.com/p/B7PU316A3zq/?utm_source=ig_embed&amp;amp;utm_campaign=loading&quot; style=&quot; color:#000; font-family:Arial,sans-serif; font-size:14px; font-style:normal; font-weight:normal; line-height:17px; text-decoration:none; word-wrap:break-word;&quot; target=&quot;_blank&quot;&gt;20xx printrbot vs ultimaker 2+ #ultimaker #3dprinting&lt;/a&gt;&lt;/p&gt; &lt;p style=&quot; color:#c9c8cd; font-family:Arial,sans-serif; font-size:14px; line-height:17px; margin-bottom:0; margin-top:8px; overflow:hidden; padding:8px 0 7px; text-align:center; text-overflow:ellipsis; white-space:nowrap;&quot;&gt;A post shared by &lt;a href=&quot;https://www.instagram.com/schmidphilipp/?utm_source=ig_embed&amp;amp;utm_campaign=loading&quot; style=&quot; color:#c9c8cd; font-family:Arial,sans-serif; font-size:14px; font-style:normal; font-weight:normal; line-height:17px;&quot; target=&quot;_blank&quot;&gt; Philipp Schmid&lt;/a&gt; (@schmidphilipp) on &lt;time style=&quot; font-family:Arial,sans-serif; font-size:14px; line-height:17px;&quot; datetime=&quot;2020-01-13T00:19:30+00:00&quot;&gt;Jan 12, 2020 at 4:19pm PST&lt;/time&gt;&lt;/p&gt;&lt;/div&gt;&lt;/blockquote&gt;
&lt;script async=&quot;&quot; src=&quot;//www.instagram.com/embed.js&quot;&gt;&lt;/script&gt;

</description>
        <pubDate>Mon, 13 Jan 2020 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2020/01/13/hello/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2020/01/13/hello/</guid>
      </item>
    
      <item>
        <title>Lancia Fulvia Sport (Zagato) 1600</title>
        <description>&lt;p&gt;I cannot really remember why I got interested in old cars - I do remember always admiring Tim Taylor from Home Improvement, for slowly building up his Hot Rod.&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2016-04-18-lancia-fulvia-zagato/hotrod.png&quot; /&gt;&lt;/p&gt;

&lt;p&gt;But what specifically got me to buy myself a classic car book and price index (&lt;a rel=&quot;nofollow&quot; href=&quot;http://www.amazon.de/gp/product/395843309X/ref=as_li_tl?ie=UTF8&amp;amp;camp=1638&amp;amp;creative=6742&amp;amp;creativeASIN=395843309X&amp;amp;linkCode=as2&amp;amp;tag=schmidp-21&quot;&gt;Oldtimer Katalog Nr. 30: Europas größter Marktführer - Jubiläumsausgabe 30 Jahre&lt;/a&gt;&lt;img src=&quot;http://ir-de.amazon-adsystem.com/e/ir?t=schmidp-21&amp;amp;l=as2&amp;amp;o=3&amp;amp;a=395843309X&quot; width=&quot;1&quot; height=&quot;1&quot; border=&quot;0&quot; alt=&quot;&quot; style=&quot;border:none !important; margin:0px !important;&quot; /&gt;) slipped my mind.&lt;/p&gt;

&lt;p&gt;Anyway, I went thought the book and looked for cars that have an interesting style, are not yet extremely expensive and have some kind of interesting history. The car that stood out in the end was the Lancia Fulvia Zagato.&lt;/p&gt;

&lt;h1 id=&quot;car-1-vienna&quot;&gt;Car #1 Vienna&lt;/h1&gt;

&lt;p&gt;So I started looking for those cars and there was even one 1972 1.6 being sold near Vienna for € 24500 at &lt;a href=&quot;http://www.oldie-point.at&quot;&gt;Jüly Oldie Point&lt;/a&gt;. Lena and I had a look at the car on a weekend sometime in 2015, it was a red 1.6 liter one. Lancia only built 800 of them.&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2016-04-18-lancia-fulvia-zagato/zagato_wien.jpg&quot; /&gt;&lt;/p&gt;

&lt;p&gt;But the car was in a condition, that I didn’t have the guts to buy it:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Broken windscreen&lt;/li&gt;
  &lt;li&gt;Doors did not close&lt;/li&gt;
  &lt;li&gt;Carburates where removed and seemed to have burned&lt;/li&gt;
  &lt;li&gt;Lot’s of other things I don’t rembember&lt;/li&gt;
&lt;/ul&gt;

&lt;h1 id=&quot;car-2-amsterdam&quot;&gt;Car #2 Amsterdam&lt;/h1&gt;

&lt;p&gt;Then I looked at a car in Amsterdam. The seller wanted € 30000 when I first saw the car online (maybe early 2015?) and € 35000 in November 2015:&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2016-04-18-lancia-fulvia-zagato/zagato_amsterdam.jpg&quot; /&gt;&lt;/p&gt;

&lt;p&gt;I did not buy the car (the last price was € 33000), because I was hoping to find one in better condition and maybe even cheaper directly in italy.&lt;/p&gt;

&lt;h1 id=&quot;car-3-milano&quot;&gt;Car #3 Milano&lt;/h1&gt;

&lt;p&gt;So the next stop was Milano in Italy. I wanted to look at this car (which is currently still available):
 &lt;a href=&quot;http://ww3.autoscout24.at/classified/274848683&quot;&gt;http://ww3.autoscout24.at/classified/274848683&lt;/a&gt;, so Lena and I flew to Milano over the weekend to also do some sight seeing.&lt;/p&gt;

&lt;p&gt;By chance, there also was the Milano Classic Expo on the same weekend, where Lena and I went to on Saturday morning.
Lots of great cars :-) We even saw (and heared!) a Lancia Stratos racing around a track.&lt;/p&gt;

&lt;p&gt;At the expo, I also saw my orange Zagato for the first time, but more about that &lt;a href=&quot;#car-4-milano&quot;&gt;later&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;So we left the expo to look at the red Zagato:&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2016-04-18-lancia-fulvia-zagato/zagato_gabrielle.jpg&quot; /&gt;&lt;/p&gt;

&lt;p&gt;The owner was a private seller (a lawyer) and very nice, he picked us up from the hotel and showed us the car.
He wanted € 40000, but I felt that the Zagato at the Expo was in better shape and much cheaper.
So I offered him a much, much lower price, which he (as I expected) did not acccept.&lt;/p&gt;

&lt;h1 id=&quot;car-4-milano&quot;&gt;Car #4 Milano&lt;/h1&gt;

&lt;p&gt;As already mentioned, at the Milano Classic Car expo, there was an orange Zagato for sale by a dealer (Grimaldi in Vigevano).&lt;/p&gt;

&lt;p&gt;Here are some pictures of the car at the expo:&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2016-04-18-lancia-fulvia-zagato/milano_expo_1.jpg&quot; /&gt;
&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2016-04-18-lancia-fulvia-zagato/milano_expo_2.jpg&quot; /&gt;
&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2016-04-18-lancia-fulvia-zagato/milano_expo_3.jpg&quot; /&gt;&lt;/p&gt;

&lt;p&gt;After the weekend in Milano I was back in Vienna and there was still no Zagato in my driveway :-/&lt;/p&gt;

&lt;p&gt;Luckily, two weeks later I had a business trip to Milano and used the time to look at the orange one again. I took a test drive and inspected the car for 2 hours:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;the engine was hot when I came there, but was running very nice otherwise&lt;/li&gt;
  &lt;li&gt;some coolant was leaking from a tube, nothing major&lt;/li&gt;
  &lt;li&gt;bumpers have quite a few dents&lt;/li&gt;
  &lt;li&gt;the dashboard is cracked not particularly nice&lt;/li&gt;
  &lt;li&gt;speedometer does not work&lt;/li&gt;
  &lt;li&gt;the door handles feel loose and they do not lock well.&lt;/li&gt;
  &lt;li&gt;some rust at the rear hatch, but overall I could’t find much rust&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;But, from my limited knowlege, the car looked pretty complete.&lt;/p&gt;

&lt;p&gt;So I pulled the trigger and made the dealer an offer that included transporting the car to Vienna.
He accepted, we shook hands and I was the owner of a 44 year old car.&lt;/p&gt;

&lt;p&gt;According to the dealer, the story of the car is: A guy bought it 20 years ago and restored it. Shortly afterwards he had a fatal car accident and the car stayed in his garage until his wife sold it to the dealer.&lt;/p&gt;

&lt;p&gt;About two weeks later the dealer sent me a picture of the car being loaded onto a trailer:&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2016-04-18-lancia-fulvia-zagato/trailer_behind.jpg&quot; /&gt;&lt;/p&gt;

&lt;p&gt;So on the 15th of April my &lt;em&gt;Lancia Fulvia Zagato 1600 818.750 001490&lt;/em&gt; finally arrived at his new home:&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2016-04-18-lancia-fulvia-zagato/home.jpg&quot; /&gt;&lt;/p&gt;

</description>
        <pubDate>Mon, 18 Apr 2016 00:00:00 +0200</pubDate>
        <link>http://www.schmidp.com/2016/04/18/lancia-fulvia-zagato/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2016/04/18/lancia-fulvia-zagato/</guid>
      </item>
    
      <item>
        <title>Full Disk Encryption with GRUB 2 + LUKS + LVM + SWRAID on Debian Jessie</title>
        <description>&lt;p&gt;In January I started setting up a home server/NAS based on FreeBSD on a HP Microserver. Read about my setup in &lt;a href=&quot;/2014/01/06/zfs-full-disk-encryption-with-freebsd-10-part-1/&quot;&gt;part 1&lt;/a&gt; and &lt;a href=&quot;/2014/01/07/zfs-full-disk-encryption-with-freebsd-10-part-2/&quot;&gt;part 2&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;While I generally like the idea (BSD license, complete base system in one repo) and community behind FreeBSD, I have the feeling that the project is missing some manpower. VIMAGE is still experimental and in combination with PF it will crash every night (because of a Cron job). There seems to be a bug that IPSec tunnels bypass the firewall.
There is no AMD support in bhyve yet (it’s scheduled for October 2014 with the 10.1 release), so I cannot run any virtual machines on my home server.&lt;/p&gt;

&lt;p&gt;So my concerns about manpower and the fact that I cannot run any virtual machines yet lead me back to Debian Linux.&lt;/p&gt;

&lt;h1 id=&quot;the-plan&quot;&gt;The Plan&lt;/h1&gt;

&lt;p&gt;Because with Debian I can use KVM and run multiple virtual machines, I’ll set up a minimalistic, fully encrypted base system with Debian. All services the NAS will supply will run in virtual machines that run Ubuntu, Debian or FreeBSD.&lt;/p&gt;

&lt;h1 id=&quot;the-setup&quot;&gt;The Setup&lt;/h1&gt;

&lt;p&gt;Before we finally talk about the setup, I’d like to give attribution to the blog posts that I based this guide on:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;http://michael-prokop.at/blog/2014/02/28/state-of-the-art-debianwheezy-deployments-with-grub-and-lvmsw-raidcrypto/&quot;&gt;State of the art Debian/wheezy deployments with GRUB and LVM/SW-RAID/Crypto&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption&quot;&gt;archlinux: dm-crypt/Device encryption&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;hardware&quot;&gt;Hardware&lt;/h2&gt;

&lt;p&gt;I have four disks in my HP MicroServer:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Disk 1: Operating System - 3.5’ 250GB 7200RPM HDD&lt;/li&gt;
  &lt;li&gt;Disk 2: Operating System - 2.5’ 200GB 7200RPM HDD&lt;/li&gt;
  &lt;li&gt;Disk 3: Data - 3.5’ 4TB NAS HDD&lt;/li&gt;
  &lt;li&gt;Disk 4: Data - 3.5’ 4TB NAS HDD&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The first two disks will hold the base operating system and maybe the virtual machine operating system images.
The data disks will be for data only.&lt;/p&gt;

&lt;p&gt;The storage system layers will look like this:&lt;/p&gt;

&lt;div class=&quot;highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;| Filesystem (eg. ext4) |
| LVM                   |
| LUKS Crypto           |
| Linux Software RAID 1 |
| Physical Hard Disk    |
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;Above the physical block layer, we’ll put a Linux software RAID. The first RAID 1 will span disks 1 and 2 and a second RAID 1 will span the data disks (disks 3 and 4).&lt;/p&gt;

&lt;p&gt;And on top of the software RAID will be the encryption layer. Why not the other way round? Because otherwise we would have two crypto devices instead of one, and the CPU would have to encrypt/decrypt any write/read operation twice.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;http://www.saout.de/pipermail/dm-crypt/2011-July/001789.html&quot;&gt;This thread&lt;/a&gt; on the dm-crypt list discusses the two options.&lt;/p&gt;

&lt;h2 id=&quot;software&quot;&gt;Software&lt;/h2&gt;

&lt;p&gt;We are going to use &lt;a href=&quot;http://grml.org&quot;&gt;grml&lt;/a&gt;, a Debian-based rescue/admin live distribution, to install the system.&lt;/p&gt;

&lt;p&gt;So after downloading grml and booting the live CD, let’s start with becoming root:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;sudo &lt;/span&gt;su -&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;initialize-the-disks-with-random-data&quot;&gt;Initialize the disks with random data&lt;/h3&gt;

&lt;p&gt;We will start writing random data to the two operating system disks.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;badblocks &lt;span class=&quot;nt&quot;&gt;-c&lt;/span&gt; 10240 &lt;span class=&quot;nt&quot;&gt;-w&lt;/span&gt; &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; random &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; &lt;span class=&quot;nt&quot;&gt;-v&lt;/span&gt; /dev/sda
badblocks &lt;span class=&quot;nt&quot;&gt;-c&lt;/span&gt; 10240 &lt;span class=&quot;nt&quot;&gt;-w&lt;/span&gt; &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; random &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; &lt;span class=&quot;nt&quot;&gt;-v&lt;/span&gt; /dev/sdb&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;This may take a very long time, depending on how big your disks are.&lt;/p&gt;

&lt;h3 id=&quot;partitioning-the-os-disks&quot;&gt;Partitioning the OS disks&lt;/h3&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# parted /dev/sda&lt;/span&gt;
GNU Parted 2.3
Using /dev/sda
Welcome to GNU Parted! Type &lt;span class=&quot;s1&quot;&gt;'help'&lt;/span&gt; to view a list of commands.
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;parted&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; mklabel gpt                                                      
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;parted&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; mkpart primary 2048s 4095s
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;parted&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;1 bios_grub on                                               
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;parted&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; name 1 &lt;span class=&quot;s2&quot;&gt;&quot;BIOS Boot Partition&quot;&lt;/span&gt;                                     
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;parted&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; mkpart primary 4096s 100%                                        
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;parted&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;2 raid on
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;parted&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; name 2 &lt;span class=&quot;s2&quot;&gt;&quot;SW-RAID / Linux&quot;&lt;/span&gt;                                         
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;parted&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; quit                                                             
Information: You may need to update /etc/fstab.&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Copy the the partition table from the first disk to the second:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# sgdisk -R=/dev/sdb /dev/sda&lt;/span&gt;
The operation has completed successfully.&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Set new UUIDs on /dev/sdb:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# sgdisk -G /dev/sdb&lt;/span&gt;
The operation has completed successfully.&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;raid-mirror-setup&quot;&gt;RAID Mirror Setup&lt;/h3&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# mdadm --create /dev/md0 --verbose --level=mirror --raid-devices=2 /dev/sda2 /dev/sdb2&lt;/span&gt;
mdadm: Note: this array has metadata at the start and
    may not be suitable as a boot device.  If you plan to
    store &lt;span class=&quot;s1&quot;&gt;'/boot'&lt;/span&gt; on this device please ensure that
    your boot-loader understands md/v1.x metadata, or use
    &lt;span class=&quot;nt&quot;&gt;--metadata&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0.90
mdadm: size &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;to 10474496K
Continue creating array? y
mdadm: Defaulting to version 1.2 metadata
mdadm: array /dev/md0 started.&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;luks-crypto-setup&quot;&gt;LUKS Crypto Setup&lt;/h3&gt;

&lt;p&gt;We use aes-xts as XTS works especially well for encrypting filesystems.&lt;br /&gt;
The keysize of 512 is actually 256, because XTS splits the key in half.&lt;br /&gt;
Because we use sha512 instead of sha1, we need to increase the time for the hash iterations.&lt;br /&gt;
Also, we have to use /dev/random instead of /dev/urandom, as urandom does not stop giving data if entropy gets low.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;cryptsetup &lt;span class=&quot;nt&quot;&gt;-v&lt;/span&gt; &lt;span class=&quot;nt&quot;&gt;--cipher&lt;/span&gt; aes-xts-plain64 &lt;span class=&quot;nt&quot;&gt;--key-size&lt;/span&gt; 512 &lt;span class=&quot;nt&quot;&gt;--hash&lt;/span&gt; sha512 &lt;span class=&quot;nt&quot;&gt;--iter-time&lt;/span&gt; 5000 &lt;span class=&quot;nt&quot;&gt;--use-random&lt;/span&gt; &lt;span class=&quot;nt&quot;&gt;--verify-passphrase&lt;/span&gt; luksFormat /dev/md0&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Now let’s open the crypto device:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;cryptsetup luksOpen /dev/md0 cryptomd0&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;lvm-setup&quot;&gt;LVM Setup&lt;/h3&gt;

&lt;p&gt;Let’s create a physical volume and a volume group:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# pvcreate /dev/mapper/cryptomd0&lt;/span&gt;
  Physical volume &lt;span class=&quot;s2&quot;&gt;&quot;/dev/mapper/cryptomd0&quot;&lt;/span&gt; successfully created
root@grml ~ &lt;span class=&quot;c&quot;&gt;# vgcreate system /dev/mapper/cryptomd0&lt;/span&gt;
  Volume group &lt;span class=&quot;s2&quot;&gt;&quot;system&quot;&lt;/span&gt; successfully created&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Now the logical volumes. Be sure to ajust the sizes of the volumes to fit your system:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# lvcreate -n swap -L1G system&lt;/span&gt;
  Logical volume &lt;span class=&quot;s2&quot;&gt;&quot;swap&quot;&lt;/span&gt; created
root@grml ~ &lt;span class=&quot;c&quot;&gt;# lvcreate -n root -L6G system&lt;/span&gt;
  Logical volume &lt;span class=&quot;s2&quot;&gt;&quot;root&quot;&lt;/span&gt; created&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;create-the-file-systems&quot;&gt;Create the file systems&lt;/h3&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# mkfs.ext4 /dev/system/root&lt;/span&gt;
mke2fs 1.42.9 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;4-Feb-2014&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Filesystem &lt;span class=&quot;nv&quot;&gt;label&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;
OS &lt;span class=&quot;nb&quot;&gt;type&lt;/span&gt;: Linux
Block &lt;span class=&quot;nv&quot;&gt;size&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;4096 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;log&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;2&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Fragment &lt;span class=&quot;nv&quot;&gt;size&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;4096 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;log&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;2&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;Stride&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0 blocks, Stripe &lt;span class=&quot;nv&quot;&gt;width&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0 blocks
393216 inodes, 1572864 blocks
78643 blocks &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;5.00%&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; reserved &lt;span class=&quot;k&quot;&gt;for &lt;/span&gt;the super user
First data &lt;span class=&quot;nv&quot;&gt;block&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0
Maximum filesystem &lt;span class=&quot;nv&quot;&gt;blocks&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;1610612736
48 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
  32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: &lt;span class=&quot;k&quot;&gt;done                            
&lt;/span&gt;Writing inode tables: &lt;span class=&quot;k&quot;&gt;done                            
&lt;/span&gt;Creating journal &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;32768 blocks&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;: &lt;span class=&quot;k&quot;&gt;done
&lt;/span&gt;Writing superblocks and filesystem accounting information: &lt;span class=&quot;k&quot;&gt;done&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# mkswap -f /dev/system/swap&lt;/span&gt;
Setting up swapspace version 1, size &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; 1048572 KiB
no label, &lt;span class=&quot;nv&quot;&gt;UUID&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;a44ea90d-72b4-4d2c-864f-70e9d2218651&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;preparing-for-installation&quot;&gt;Preparing for installation&lt;/h3&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# mkdir /mnt/root&lt;/span&gt;
root@grml ~ &lt;span class=&quot;c&quot;&gt;# mount /dev/system/root /mnt/root&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;installation&quot;&gt;Installation&lt;/h3&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;grml-debootstrap &lt;span class=&quot;nt&quot;&gt;--target&lt;/span&gt; /mnt/root &lt;span class=&quot;nt&quot;&gt;--password&lt;/span&gt; YOUR_PASSWORD &lt;span class=&quot;nt&quot;&gt;--hostname&lt;/span&gt; YOUR_HOSTNAME &lt;span class=&quot;nt&quot;&gt;--release&lt;/span&gt; jessie&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;finishing-the-installation&quot;&gt;Finishing the installation&lt;/h3&gt;

&lt;p&gt;Let’s get into our new installation:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# grml-chroot /mnt/root /bin/bash&lt;/span&gt;
Writing /etc/debian_chroot ...
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;YOUR_HOSTNAME&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;root@grml:/#&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;rna&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;root@grml:~# apt-get install console-setup&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Edit /etc/fstab to look like:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;/dev/system/root  / auto    defaults,errors&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;remount-ro  0 1
/dev/system/swap  none  swap    sw                      0 0
proc      /proc proc    defaults                        0 0&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Edit /etc/crypttab to look like:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;cryptomd0 /dev/md0 none luks&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;YOUR_HOSTNAME&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;root@grml:~# &lt;span class=&quot;nb&quot;&gt;echo &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;GRUB_CRYPTODISK_ENABLE&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;y &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/default/grub
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;YOUR_HOSTNAME&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;root@grml:~# &lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'GRUB_PRELOAD_MODULES=&quot;lvm cryptodisk mdraid1x&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/default/grub&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;YOUR_HOSTNAME&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;root@grml:/# grub-install /dev/sda
Installation finished. No error reported.
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;YOUR_HOSTNAME&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;root@grml:/# grub-install /dev/sdb
Installation finished. No error reported.&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;YOUR_HOSTNAME&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;root@grml:/# update-initramfs &lt;span class=&quot;nt&quot;&gt;-k&lt;/span&gt; all &lt;span class=&quot;nt&quot;&gt;-u&lt;/span&gt;
update-initramfs: Generating /boot/initrd.img-3.14-1-amd64
df: Warning: cannot &lt;span class=&quot;nb&quot;&gt;read &lt;/span&gt;table of mounted file systems
&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;YOUR_HOSTNAME&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;root@grml:~# update-grub
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.14-1-amd64
Found initrd image: /boot/initrd.img-3.14-1-amd64
&lt;span class=&quot;k&quot;&gt;done&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;prepare-for-reboot&quot;&gt;Prepare for reboot&lt;/h3&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;YOUR_HOSTNAME&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;root@grml:~# &lt;span class=&quot;nb&quot;&gt;exit
exit
&lt;/span&gt;grml-chroot /mnt/root /bin/bash  9.21s user 2.43s system 0% cpu 21:20.00 total
root@grml ~ &lt;span class=&quot;c&quot;&gt;# umount /mnt/root&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h3 id=&quot;reboot&quot;&gt;Reboot&lt;/h3&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@grml ~ &lt;span class=&quot;c&quot;&gt;# reboot&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

</description>
        <pubDate>Fri, 12 Dec 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/12/12/full-disk-encryption-with-grub-2-+-luks-+-lvm-+-swraid-on-debian/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/12/12/full-disk-encryption-with-grub-2-+-luks-+-lvm-+-swraid-on-debian/</guid>
      </item>
    
      <item>
        <title>Book List September 2014</title>
        <description>&lt;p&gt;Books I read in September:&lt;/p&gt;

&lt;h2 id=&quot;the-lean-startup-by-eric-ries&quot;&gt;&lt;a href=&quot;http://amzn.to/10YLoFA&quot;&gt;The Lean Startup&lt;/a&gt; by Eric Ries&lt;/h2&gt;

&lt;h3 id=&quot;notes&quot;&gt;Notes&lt;/h3&gt;

&lt;p&gt;Building a startup is an exercise in institution building; thus, it necessarily involves management.&lt;/p&gt;

&lt;p&gt;The Lean Startup method, in contrast, is designed to teach you how to drive a startup.
Instead of marking complex plans that are based on a lot of assumptions, you can make constant adjustments with a steering wheel called the Build-Measure-Learn feedback loop.&lt;/p&gt;

&lt;p&gt;A startup is a human institution designed to create a new product or service under conditions of extreme uncertainty.&lt;/p&gt;

&lt;p&gt;Lean thinking defines value as providing benefit to the customer; anything else is waste.&lt;/p&gt;

&lt;p&gt;I’ve come to believe that learning is the essential unit of progress for startups.&lt;/p&gt;

&lt;p&gt;This is true startup productivity: Systematically figuring out the right things to build.&lt;/p&gt;

&lt;p&gt;The two most important assumptions entrepreneurs make are what I call the value hypotheses and the growth hypotheses. The value hypotheses tests weather a product or service really delivers value to customers once they are using it. For the growth hypotheses, which tests how new customers will discover a product or service, …&lt;/p&gt;

&lt;p&gt;Their [entrepreneurs and managers] challenge is to overcome the prevailing management thinking that puts its faith in well-researched plans. Remember, planning is a tool that only works in the presence of a long and stable operating history.&lt;/p&gt;

&lt;p&gt;Build-Measure-Learn Feedback Loop: LEARN -&amp;gt; Ideas -&amp;gt; BUILD -&amp;gt; Product -&amp;gt; MEASURE -&amp;gt; Data -&amp;gt; LEARN&lt;/p&gt;

&lt;p&gt;… we need to focus our energies on minimising the &lt;em&gt;total&lt;/em&gt; time through this feedback loop. This is the essence of steering a startup…&lt;/p&gt;

&lt;p&gt;[To implemented validated learning] … the method I recommend is called &lt;em&gt;innovation accounting&lt;/em&gt;, a quantitive approach that allows us to see whether our engine-tuning efforts are bearing fruit. It also allows us to create learning milestones.&lt;/p&gt;

&lt;p&gt;Finally, and most important, there’s the &lt;em&gt;pivot&lt;/em&gt;. Upon completing the Build-Measure-Learn loop, we confront the most difficult question any entrepreneur faces: whether to pivot the original strategy or persevere.&lt;/p&gt;

&lt;p&gt;Although we write the feedback loop as Build-Measure-Learn because the activities happen in that order, our planning really works in the reverse order: we figure out what we need to learn, use innovation accounting to figure out what we need to measure to know if we are gaining validated learning, and then figure out what product we need to build to run that experiment and get that measurement.&lt;/p&gt;

&lt;p&gt;The first challenge and entrepreneur is to build an organisation that can test these [basically all, business assumptions, strategy assumptions, assumptions about customer acceptance.] assumptions systematically. The second challenge, as in all entrepreneurial situations, is to perform that rigorous testing without losing sight of the company’s overall vision.&lt;/p&gt;

&lt;p&gt;The restated approach should make clear that what is needed is to do some empirical testing first: let’s make sure that there really are hungry customers out there eager to embrace our new technology.&lt;/p&gt;

&lt;p&gt;There are many value-destroying kinds of growth that should be avoided. An example would be a business that grows through continuous fund-raising from investors and logs of paid advertising but does not develop a value-creating product.&lt;/p&gt;

&lt;p&gt;The importance of basing strategic decisions on firsthand understanding of customers is one of the core principles that underlies the Toyota Production System. At Toyota, this goes by the Japanese term &lt;em&gt;genchi gembutsu&lt;/em&gt;, which is one of the most important phrases in the lean manufacturing vocabulary. In English, it is usually translated as a directive to “go and see for yourself” so that business decisions can be based on deep firsthand knowledge.&lt;/p&gt;

&lt;p&gt;Before new products can be sold successfully to the mass market, they have to be sold to early adopters. These people are a special breed of customer. They accept - in fact prefer - an 80 percent solution; you don’t need a perfect solution to capture their interest.&lt;/p&gt;

&lt;p&gt;Early adopters use their imagination to fill in what a product is missing. They prefer that state of affairs, because what they care about above all is being the first to use or adopt a new product or technology. In consumer products, it’s often the thrill of being the first one on the block to show off a new basketball shoe, music player, or cool phone. In enterprise products, it’s often about gaining a competitive advantage by taking a risk with something new that competitors don’t have yet. Early adopters are suspicious of something that is too polished: if it’s already for everyone to adopt, how much advantage can one get by being early? As a result, additional features or polish beyond what early adopters demand is a form of wasted resources and time.&lt;/p&gt;

&lt;p&gt;It is important to contrast this with the case of a small business, in which it is routine to see the CEO, founder, president, and owner serving customers directly, one at a time. In a concierge MVP, this personalised service is not the product but a learning activity designed to test the leap-of-faith assumptions in the company’s growth model.&lt;/p&gt;

&lt;p&gt;In a Wizard of Oz test, customers believe they are interacting with the actual product, but behind the scenes human beings are doing the work.&lt;/p&gt;

&lt;p&gt;If we do not know who the customers is, we do not know what quality is.&lt;/p&gt;

&lt;p&gt;Customers don’t care how much time something takes to build. They care only if it serves their needs.&lt;/p&gt;

&lt;p&gt;As you consider building your own minimum viable product, let this simple rule suffice: remove any feature, process, or effort that does not contribute directly to the learning you seek.&lt;/p&gt;

&lt;p&gt;For startups that rely on patent protection, there are special challenges with releasing an early product. [so read up on them]&lt;/p&gt;

&lt;p&gt;In fact, I have often given entrepreneurs fearful of this issue the following assignment: take one of your ideas (one of your lesser insights, perhaps), find the name of the relevant product manager at an established company who has responsibility for that area, and try to get that company to steal your idea. Call them up, write them a memo, send them a press release - go ahead, try it. The truth is that most managers in most companies are already overwhelmed with good ideas. Their challenge lies in prioritisation and execution, and it is those challenges that give a startup hope of surviving.&lt;/p&gt;

&lt;p&gt;The only way to win is to learn faster than anyone else.&lt;/p&gt;

&lt;p&gt;Successful entrepreneurs do not give up at the first sign of trouble, nor do they preserve the plane right into the ground. Instead, they possess unique combination of perseverance and flexibility.&lt;/p&gt;

&lt;p&gt;We all need a disciplined, systematic approach to figuring out if we’re making progress and discovering if we’re actually achieving validated learning.&lt;/p&gt;

&lt;p&gt;This is why to myth of perseverance is so dangerous. We all know stories of epic entrepreneurs who managed to pull out a victory when things seemed incredibly bleak. Unfortunately, we don’t hear stories about the countless nameless others who preserved too long, leading their companies to failure.&lt;/p&gt;

&lt;p&gt;When one is choosing among the many assumptions in a business plan, it makes sense to test the riskiest assumptions first.&lt;/p&gt;

&lt;p&gt;To demonstrate validated learning, the design changes must improve the activation rate of new customers. If they do not, the new design should be judged a failure. This is an important rule: a good design is one that changes customer behaviour for the better.&lt;/p&gt;

&lt;p&gt;Compared to a lot of startups, the Grockit team had a huge advantage: they were tremendously disciplined. A disciplined team may apply the wrong methodology but can shift gears quickly once it discovers its error. Most important, a disciplined team can experiment with its own working style and draw meaning ful conclusions.&lt;/p&gt;

&lt;p&gt;.. the three A’s of metrics. actionable, accessible, and auditable.&lt;/p&gt;

&lt;p&gt;In Silicon Valley, we call this experience getting stuck in the land of the living dead. It happens when a company has achieved a modicum of success - just enough to stay alive - but is not living up to the expectations of its founders and investors. Such companies are a terrible drain of human energy. Out of loyalty, the employees and founders don’t want to give in; they feel the success might be just around the corner.&lt;/p&gt;

&lt;p&gt;We’ve discussed the telltale signs of the need to pivot: the decreasing effectiveness of product experiments and the general feeling that the product development should be more productive. Whenever you see those symptoms, consider a pivot.&lt;/p&gt;

&lt;p&gt;I recommend that every startup have a regular “pivot or preserve” meeting. In my experience, less than a few weeks between meetings is too often and more than a few months is too infrequent.&lt;/p&gt;

&lt;p&gt;Working in small batches ensures that a startup can minimise the expenditure of time, money, and effort that ultimately turns out to have been wasted.&lt;/p&gt;

&lt;p&gt;Five Whys is a powerful organisational technique. Some of the engineers I have trained to use it believe that you can derive all the other Lean Startup techniques from the Five Whys. Coupled with working in small batches, it provides the foundation a company needs to respond quickly to problems as they appear, without overinvesting or overengineering.&lt;/p&gt;

&lt;p&gt;I ask teams to adopt these simple rules:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Be tolerant of all mistakes the first first time&lt;/li&gt;
  &lt;li&gt;Never allow the same mistake to be made twice&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;As Lean Startups grow, they can use adaptive techniques to develop more complex processes without giving up their core advantage: speed through the Build-Measure-Learn feedback loop. In fact, one of the primary benefits of using techniques that are derived from lean manufacturing is that Lean Startups, when they grow up, are well positioned to develop operational excellence based on lean principles. They already know how to operate with discipline, develop processes that are tailor-made to their situation, and use lean techniques such as the Five Whys and small batches.&lt;/p&gt;

&lt;p&gt;… startup teams require three structural attributes: scarce but secure resources, independent authority to develop their business, and a personal stake in the outcome.&lt;/p&gt;

&lt;p&gt;Shusa … Toyota employees translate the term as chief engineer, and they refer to the vehicle under development as the shusa’s car. They assured us that the shush has final, absolute authority over every aspect of vehicle development.&lt;/p&gt;

&lt;p&gt;There is a fourth phase as well, one dominated by operating costs and legacy products. This is the domain of outsourcing, automation and cost reduction.&lt;/p&gt;

&lt;p&gt;Over time, those teams are almost guaranteed to improve as long as they get the constant feedback of small-batch development and actionable metrics and are held accountable to learning milestones.&lt;/p&gt;
</description>
        <pubDate>Fri, 10 Oct 2014 00:00:00 +0200</pubDate>
        <link>http://www.schmidp.com/2014/10/10/book-list-september-2014/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/10/10/book-list-september-2014/</guid>
      </item>
    
      <item>
        <title>Notes on: Sam Altman's How to Start a Startup - Lecture 2</title>
        <description>&lt;p&gt;Y Combinator teaches a class at Stanford on startups: &lt;a href=&quot;http://startupclass.samaltman.com&quot;&gt;http://startupclass.samaltman.com&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;These are my notes on &lt;a href=&quot;http://startupclass.samaltman.com/courses/lec02/&quot;&gt;Lecture 2&lt;/a&gt;:&lt;/p&gt;

&lt;h1 id=&quot;ideas-products-teams-and-execution-part-ii&quot;&gt;Ideas, Products, Teams and Execution Part II&lt;/h1&gt;

&lt;h2 id=&quot;qa-on-lecture-1&quot;&gt;Q&amp;amp;A on Lecture 1&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;How to identify markets that are growing quickly:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Trust your instincts. Younger people/students have an advantage. Just watch what you and others are doing.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How to deal with burnout as a founder:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;It sucks, but you just have to keep going. Address the things that are going wrong . . .&lt;/p&gt;

&lt;h2 id=&quot;lecture-2&quot;&gt;Lecture 2&lt;/h2&gt;

&lt;h3 id=&quot;co-founders&quot;&gt;Co-Founders&lt;/h3&gt;

&lt;p&gt;The co-founder relationship is very, very important – one of the most important decisions. The track record for companies whose founders don’t know each other well is very bad.&lt;/p&gt;

&lt;p&gt;A solo founder is better than a random co-founder.&lt;/p&gt;

&lt;p&gt;A founder should be relentlessly resourceful. A founder’s role model should be James Bond (really!). You need someone who behaves like James Bond.&lt;/p&gt;

&lt;p&gt;You want to have known your co-founders for years.&lt;/p&gt;

&lt;p&gt;You want a tough, calm co-founder.&lt;/p&gt;

&lt;p&gt;Two or three co-founders work well. Five are really bad.&lt;/p&gt;

&lt;p&gt;When should co-founders decide on the equity split? Very soon after they start working together. It should be near equal.&lt;/p&gt;

&lt;p&gt;You have to discuss what happens when a co-founder leaves. Shares should vest over four years. Anyone who leaves within the first year gets nothing.&lt;/p&gt;

&lt;p&gt;Co-founders should be in the same location. Sam is very skeptical about remote teams in general.&lt;/p&gt;

&lt;h3 id=&quot;team&quot;&gt;Team&lt;/h3&gt;

&lt;p&gt;Try not to hire! Be proud to have as few employees as possible.&lt;/p&gt;

&lt;p&gt;The most successful YC companies have no or very few employees. In the early days, the goal should be not to hire.&lt;/p&gt;

&lt;p&gt;The cost of getting an early hire wrong is very high. It usually kills the company.&lt;/p&gt;

&lt;p&gt;Write down a list of core values a hire should have. Most importantly, he should love the product. (Would you still want to work on our project if you got a medical diagnosis that you had only one year left to live?)&lt;/p&gt;

&lt;p&gt;Have a very high bar. Get the best people.&lt;/p&gt;

&lt;p&gt;It can easily take a year to recruit someone very good.&lt;/p&gt;

&lt;p&gt;How much time should you spend on hiring? Either 0 or 25% of your time.&lt;/p&gt;

&lt;p&gt;Mediocre engineers do not build great companies. Mediocre engineers infect the culture of a startup and destroy it.&lt;/p&gt;

&lt;p&gt;The best people to hire are people you or your coworkers already know.&lt;/p&gt;

&lt;p&gt;For most early hires in a startup experience does not help very much, but appetite does.&lt;/p&gt;

&lt;p&gt;What to look at:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Are they smart?&lt;/li&gt;
  &lt;li&gt;Do they get things done?&lt;/li&gt;
  &lt;li&gt;Do I want to spend a lot of time around them?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Call references. Dig in. Is this person in the top 5%? Why don’t you try to hire this person again?&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Good communication skills&lt;/li&gt;
  &lt;li&gt;Maniacally determined (they should also like risk)&lt;/li&gt;
  &lt;li&gt;Pass the “animal test” (see &lt;a href=&quot;http://www.paulgraham.com/start.html&quot;&gt;Paul Graham&lt;/a&gt; )&lt;/li&gt;
  &lt;li&gt;You would feel comfortable reporting to them&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Care more about giving equity to employees than investors. Be generous with equity to early employees.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;After you hire someone, you have to retain them.&lt;/strong&gt; They have to feel happy and valued.&lt;/p&gt;

&lt;p&gt;Praise your team. Give your team credit for all the good that happens. You take responsibility for the bad things.&lt;/p&gt;

&lt;p&gt;Fire fast. It’s better for the company, it’s better for the employee.&lt;/p&gt;

&lt;h3 id=&quot;execution&quot;&gt;Execution&lt;/h3&gt;

&lt;p&gt;Whatever the founders do becomes the culture. The founders have to be execution machines.&lt;/p&gt;

&lt;p&gt;Ideas themselves are not worth anything without someone executing them.&lt;/p&gt;

&lt;p&gt;The CEO has five jobs:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Set the vision&lt;/li&gt;
  &lt;li&gt;Raise money&lt;/li&gt;
  &lt;li&gt;Evangelize the company&lt;/li&gt;
  &lt;li&gt;Hire and manage&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;Make sure the entire company executes&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Execution: Can you figure out what to do? You get it done.&lt;/strong&gt;&lt;/p&gt;

&lt;h4 id=&quot;focus&quot;&gt;Focus&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Focus.&lt;/strong&gt; Identify the most important two or three things and work on them. Ignore or delegate the others. If you don’t, you will never be great about getting stuff done.&lt;/p&gt;

&lt;p&gt;Many startups/founders work really hard, but they work on the wrong things. If you work really hard on the wrong things, nobody will care.&lt;/p&gt;

&lt;p&gt;Communicate the goals. This keeps the company focused and everyone works in the right direction. Communicate them over and over again.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Focus on growth and momentum.&lt;/strong&gt; Have metrics for this. If you don’t focus on these two things, you are probably doing it wrong.&lt;/p&gt;

&lt;h4 id=&quot;intensity&quot;&gt;Intensity&lt;/h4&gt;

&lt;p&gt;You have to outwork your competitors.&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Relentless operating rhythm (move fast and break things)&lt;/li&gt;
  &lt;li&gt;Obsession with execution quality&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You need to move fast, but maintain high quality (of course it’s tricky)&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Bias towards action: you need to make decisions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The best founders are:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Quick: they respond to email quickly . . .&lt;/li&gt;
  &lt;li&gt;Present: they show up at meetings . . .&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Always keep momentum.&lt;/strong&gt; Never take your foot off the gas peddle. A winning team keeps winning. A losing team gets demotivated and keeps losing.&lt;/p&gt;

&lt;p&gt;Software startups: always keep growing.&lt;/p&gt;

&lt;p&gt;Hardware startups: don’t miss shipping dates.&lt;/p&gt;

&lt;p&gt;Getting the product right in the beginning is the best way to avoid losing momentum later.&lt;/p&gt;

&lt;p&gt;If you have a demotivated team, you have to find small wins. “Sales fix everything.”&lt;/p&gt;

&lt;p&gt;Don’t worry about competitors unless they beat you with a real, shipped product. Don’t give a shit about press releases.&lt;/p&gt;

&lt;p&gt;Don’t spend more money than you have.&lt;/p&gt;
</description>
        <pubDate>Sat, 27 Sep 2014 00:00:00 +0200</pubDate>
        <link>http://www.schmidp.com/2014/09/27/notes-on-sam-altmans-how-to-start-a-startup-lecture-2/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/09/27/notes-on-sam-altmans-how-to-start-a-startup-lecture-2/</guid>
      </item>
    
      <item>
        <title>Notes on: Sam Altman's How to Start a Startup - Lecture 1</title>
        <description>&lt;p&gt;Y Combinator teaches a class at Stanford on startups: &lt;a href=&quot;http://startupclass.samaltman.com&quot;&gt;http://startupclass.samaltman.com&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;These are my notes on &lt;a href=&quot;http://startupclass.samaltman.com/courses/lec01/&quot;&gt;Lecture 1&lt;/a&gt;:&lt;/p&gt;

&lt;h1 id=&quot;welcome-and-ideas-products-teams-and-execution-part-i&quot;&gt;Welcome, and Ideas, Products, Teams and Execution Part I&lt;/h1&gt;

&lt;p&gt;The course is for startups that aim for hyper growth.&lt;/p&gt;

&lt;p&gt;It covers four areas:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Idea&lt;/li&gt;
  &lt;li&gt;Product&lt;/li&gt;
  &lt;li&gt;Team&lt;/li&gt;
  &lt;li&gt;Execution&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id=&quot;idea&quot;&gt;Idea&lt;/h2&gt;

&lt;p&gt;Only start a company if you want to fix a specific problem, not for the sake of the startup itself. The problem comes first, the startup second.&lt;/p&gt;

&lt;p&gt;Long-term thinking is extremely important – 10 years.&lt;/p&gt;

&lt;p&gt;Build a business that is difficult to replicate.&lt;/p&gt;

&lt;p&gt;The idea comes first. A good idea is extremely important.&lt;/p&gt;

&lt;p&gt;Have a mission-oriented idea. People need a mission to be really good at something.&lt;/p&gt;

&lt;p&gt;Good startups take 10 years.&lt;/p&gt;

&lt;p&gt;Copying an existing idea is nothing that gets people excited.&lt;/p&gt;

&lt;p&gt;Ideas that seem bad at first are often very good. If it sounded really good, everybody would do it.&lt;/p&gt;

&lt;p&gt;Find a niche where you can create a monopoly and expand from that.&lt;/p&gt;

&lt;p&gt;The initial idea does not have to sound big, but it has to take a big market share of a specific niche.&lt;/p&gt;

&lt;p&gt;Think about the growth rate of the market.&lt;/p&gt;

&lt;p&gt;Ask yourself the question: Why now? Why was two years ago too early? Why will it be too late in two years?&lt;/p&gt;

&lt;p&gt;Build something you need yourself; otherwise, you’re at a big disadvantage.&lt;/p&gt;

&lt;p&gt;The idea should be very easy to explain. If that is not possible, the idea is too complicated.&lt;/p&gt;

&lt;p&gt;Think about the market first – what people want.&lt;/p&gt;

&lt;h2 id=&quot;product&quot;&gt;Product&lt;/h2&gt;

&lt;p&gt;Great Idea -&amp;gt; Great Product -&amp;gt; Great Company&lt;/p&gt;

&lt;p&gt;Build a good product. Ignore everything else. Build something that users love.&lt;/p&gt;

&lt;p&gt;Build something that a small number of users love, instead of building something that a lot of people use, but do not love.&lt;/p&gt;

&lt;p&gt;Sales and marketing is very important, but in the early days you need organic growth. If you don’t have it, you just waste your money on sales and marketing.&lt;/p&gt;

&lt;p&gt;Very few startups die from competition. Most die because they don’t build something that users love.&lt;/p&gt;

&lt;p&gt;Great founders are fanatic about the quality of the product.&lt;/p&gt;

&lt;p&gt;Create a very tight feedback loop. Show it -&amp;gt; Feedback -&amp;gt; Product&lt;/p&gt;

&lt;p&gt;The use of metrics is super-important:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;total registrations&lt;/li&gt;
  &lt;li&gt;active users&lt;/li&gt;
  &lt;li&gt;activity levels&lt;/li&gt;
  &lt;li&gt;cohort retention&lt;/li&gt;
  &lt;li&gt;revenue&lt;/li&gt;
  &lt;li&gt;Net Promoter Score&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;More on that in the next class . . .&lt;/p&gt;

&lt;h1 id=&quot;dustin-moskovitz-why-to-start-a-startup&quot;&gt;Dustin Moskovitz: Why to Start a Startup&lt;/h1&gt;

&lt;p&gt;“You Can’t Not Do It.” You are so passionate about it that you &lt;em&gt;have&lt;/em&gt; to do it.&lt;/p&gt;

&lt;p&gt;When you’re recruiting, candidates can smell if you don’t have passion.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Do something the world needs!&lt;/em&gt;&lt;/p&gt;
</description>
        <pubDate>Thu, 25 Sep 2014 00:00:00 +0200</pubDate>
        <link>http://www.schmidp.com/2014/09/25/notes-on-sam-altmans-how-to-start-a-startup/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/09/25/notes-on-sam-altmans-how-to-start-a-startup/</guid>
      </item>
    
      <item>
        <title>Book List August 2014</title>
        <description>&lt;p&gt;Books I read in August:&lt;/p&gt;

&lt;h2 id=&quot;software-estimation-demystifying-the-black-art-developer-best-practices-by-steve-mcconnell&quot;&gt;&lt;a href=&quot;http://amzn.to/1o3X8vO&quot;&gt;Software Estimation: Demystifying the Black Art (Developer Best Practices)&lt;/a&gt; by Steve McConnell&lt;/h2&gt;

&lt;p&gt;The book is about software estimation as an art, not a science. It aims to help you get your estimates within a plus/minus 25% range. While 25% still sounds huge, many companies have trouble estimating more precisely than plus/minus 100%, which I can confirm from our own (painful, expensive) experience.&lt;/p&gt;

&lt;p&gt;McConnell gives you a framework of estimation techniques that you can use, adapt and combine to improve the estimation skills of your team/organization. We have started to use some very simple techniques from the book and are already feeling much more confident in our estimations.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;tl;dr&lt;/strong&gt; Tighten the &lt;a href=&quot;http://www.construx.com/Thought_Leadership/Books/The_Cone_of_Uncertainty/&quot;&gt;Cone of Uncertainty&lt;/a&gt;. Count, don’t judge. Use historical data from your own team/organization to estimate size, effort, and schedule.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Buy?&lt;/strong&gt; Yes&lt;/p&gt;

&lt;h2 id=&quot;how-to-organize-offshore-and-nearshore-collaboration-lessons-learned-in-offshoring-and-nearshoring-by-hugo-messer-et-al&quot;&gt;&lt;a href=&quot;http://amzn.to/1qLH5Zi&quot;&gt;How to organize offshore and nearshore collaboration: Lessons learned in offshoring and nearshoring&lt;/a&gt; by Hugo Messer et al.&lt;/h2&gt;

&lt;h3 id=&quot;notes&quot;&gt;Notes&lt;/h3&gt;

&lt;p&gt;Three ingredients for successful remote collaboration:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;process&lt;/li&gt;
  &lt;li&gt;responsibilities&lt;/li&gt;
  &lt;li&gt;performance (and measuring)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Ensure that the team members discuss their personal development with their manager every 3-6 months.&lt;/p&gt;

&lt;p&gt;The product owner should be onshore, as close as possible to the customer.&lt;/p&gt;

&lt;p&gt;The whole team is part of sprint planning (via videoconferencing).&lt;/p&gt;

&lt;p&gt;Who is responsible for:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Describing the functionality and user stories?&lt;/li&gt;
  &lt;li&gt;Deciding what to build when in a sprint?&lt;/li&gt;
  &lt;li&gt;Testing the app?&lt;/li&gt;
  &lt;li&gt;Demoing the app?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;One crucial role in offshore collaboration is a “process manager” (also called a delivery manager, quality manager or similar title). This person’s responsibility lies outside the project, and his core mission is to ensure smooth communication between the onshore and offshore teams.&lt;/p&gt;

&lt;p&gt;To lay a solid foundation for remote collaboration, it is important to create “think time” before “doing”.&lt;/p&gt;

&lt;p&gt;If your collaboration involves core algorithms or functionality, have good NDAs and grant access on a strict need-to-know basis.&lt;/p&gt;

&lt;p&gt;Lack of proper planning makes it impossible to set up the right infrastructure and results in the failure of many projects. Agile development thrives in an environment which promotes collaboration and trust, and the right infrastructure is the key enabler for this.&lt;/p&gt;

&lt;p&gt;The audio/video devices from Avaya and Polycom have given me good results in many locations.&lt;/p&gt;

&lt;p&gt;Interactive digital whiteboards are cool.&lt;/p&gt;

&lt;p&gt;Use a tool that’s able to record both the screen and the audio during conference calls.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;http://camstudio.org/&quot;&gt;CamStudio&lt;/a&gt; has a pretty good free screen recording software.&lt;/p&gt;

&lt;p&gt;When team members from a different country visit, get volunteers from the onshore part of the same team to accompany them. They can act as local guides for shopping and sightseeing. I have personally experienced strong bonding after such outings.&lt;/p&gt;

&lt;p&gt;Set up periodic communication about the project vision, overall project milestones, and key developments.&lt;/p&gt;

&lt;p&gt;Use a gated check-in policy (all commits still have to build). Use continuous integration.&lt;/p&gt;

&lt;p&gt;Ensure that everyone has a good and current view of the project. Use wikis, dashboards, chats, blogs, and issue tracking.&lt;/p&gt;

&lt;p&gt;Continuous integration is a practice which enables early assembly of code units to a common shared mainline, as well as reflection on code quality, unit tests, and other kinds of measurable parameters.&lt;/p&gt;

&lt;p&gt;Dashboards on LCD TVs in a project area are a nice way to represent the current build status and compliance reports for the agreed quality indicators.&lt;/p&gt;

&lt;p&gt;There is no rule of thumb except that local teams should be able to work independently and that dependencies across teams should be identified and clear. This could mean that roles such as Business Analyst or Technical Architect will have to co-exist with local teams (this was for offshore teams).&lt;/p&gt;

&lt;p&gt;We have found that our best practice in nearshoring is to work together as one team rather than subcontracting parts of the work. Modern communication devices and the availability of high bandwidth enables this. We call this an eXtended Resource Team (XRT).&lt;/p&gt;

&lt;p&gt;XRT Principles&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;&lt;strong&gt;We are all equal colleagues.&lt;/strong&gt; We treat every team member as a colleague – not as a replaceable extra resource, but as a long-term colleague.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;We are one Team.&lt;/strong&gt; Both teams can do all activities. In this way we steer away from work packages and are free to distribute the tasks on a day-to-day basis where the availability and capacity are independent of the location.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;We have daily contact.&lt;/strong&gt; Every day, the manager interacts with all the team members. Thus, we make sure that the team stays together and everyone has the same knowledge available to make the right decisions.&lt;/li&gt;
  &lt;li&gt;&lt;strong&gt;We create opportunities together.&lt;/strong&gt; The team manager visits the nearshore part of the team at least every other month. The whole team gets together at the start of a new project and at least once a year.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;strong&gt;tl;dr&lt;/strong&gt; Use collaboration tools. Build a team. Someone has to be responsible.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Buy?&lt;/strong&gt; Maybe&lt;/p&gt;

&lt;h2 id=&quot;how-to-get-prepared-for-managing-a-remote-team-by-hugo-messer-et-al&quot;&gt;&lt;a href=&quot;http://amzn.to/XELiRX&quot;&gt;How To Get Prepared For Managing A Remote Team&lt;/a&gt; by Hugo Messer et al.&lt;/h2&gt;

&lt;h3 id=&quot;notes-1&quot;&gt;Notes&lt;/h3&gt;

&lt;p&gt;I just started taking notes on my Kindle, so I don’t have many on this book.&lt;/p&gt;

&lt;h4 id=&quot;offshore-process&quot;&gt;Offshore Process&lt;/h4&gt;
&lt;p&gt;Ambiguities in specification documents will be very expensive.
Expect a lack of background understanding of the business processes (of the project or the customer) by your offshore team.&lt;/p&gt;

&lt;p&gt;Make sure you have developed a common understanding on the expected deliverables.&lt;/p&gt;

&lt;h4 id=&quot;team-room&quot;&gt;Team Room&lt;/h4&gt;
&lt;p&gt;This is only for working. There should be another room for casual or non-work-related talk.&lt;/p&gt;

&lt;p&gt;You need good headsets so you can talk collaboratively without disturbing others.&lt;/p&gt;

&lt;p&gt;You need multiple project walls, as well as a company wall.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;tl;dr&lt;/strong&gt; Interesting read for everyone thinking about building a nearshore or offshore team.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Buy?&lt;/strong&gt; Yes&lt;/p&gt;
</description>
        <pubDate>Wed, 10 Sep 2014 00:00:00 +0200</pubDate>
        <link>http://www.schmidp.com/2014/09/10/book-list-august-2014/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/09/10/book-list-august-2014/</guid>
      </item>
    
      <item>
        <title>IPSec between FreeBSD and Mac OS X in Transport Mode</title>
        <description>&lt;p&gt;Because I do not trust WPA2 Wifi encryption for sensitive data, I implemented IPSec in transport mode between my NAS and my Mac.&lt;/p&gt;

&lt;h1 id=&quot;mac-os-x&quot;&gt;Mac OS X&lt;/h1&gt;

&lt;p&gt;Open the file containing the pre-shared keys:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;sudo &lt;/span&gt;vim /etc/racoon/psk.txt&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;And add the IP adress of the FreeBSD box:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;10.0.1.5      password&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Add to /etc/racoon/racoon.conf&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;remote 10.0.1.5 &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;500]
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
  exchange_mode main&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  doi ipsec_doi&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  situation identity_only&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;

  my_identifier   address 10.0.1.6&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  peers_identifier        address 10.0.1.5&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;

  lifetime        &lt;span class=&quot;nb&quot;&gt;time &lt;/span&gt;8 hour&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  passive         off&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  proposal_check  obey&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  generate_policy off&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;

  proposal &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
    encryption_algorithm    aes 256&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    hash_algorithm          sha512&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    authentication_method   pre_shared_key&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    lifetime &lt;span class=&quot;nb&quot;&gt;time           &lt;/span&gt;30 sec&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    dh_group                16&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  &lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;

&lt;span class=&quot;c&quot;&gt;# Mac &amp;lt;-&amp;gt; NAS transport&lt;/span&gt;
sainfo address 10.0.1.6 any address 10.0.1.5 any &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
  pfs_group 16&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  encryption_algorithm aes 256&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  authentication_algorithm hmac_sha512&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  compression_algorithm deflate&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;/etc/racoon/setkey.conf:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;c&quot;&gt;#!/usr/sbin/setkey -f&lt;/span&gt;

&lt;span class=&quot;c&quot;&gt;## Flush the SAD and SPD&lt;/span&gt;
&lt;span class=&quot;c&quot;&gt;#&lt;/span&gt;
flush&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
spdflush&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;


&lt;span class=&quot;c&quot;&gt;# Mac &amp;lt;-&amp;gt; NAS transport&lt;/span&gt;
spdadd 10.0.1.6 10.0.1.5 any &lt;span class=&quot;nt&quot;&gt;-P&lt;/span&gt; out ipsec esp/transport//require ah/transport//require&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
spdadd 10.0.1.5 10.0.1.6 any &lt;span class=&quot;nt&quot;&gt;-P&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;in &lt;/span&gt;ipsec esp/transport//require ah/transport//require&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h1 id=&quot;freebsd-10&quot;&gt;FreeBSD 10&lt;/h1&gt;

&lt;p&gt;First you need to compile a kernel that supports IPSec. Check the &lt;a href=&quot;https://www.freebsd.org/doc/handbook/ipsec.html&quot;&gt;FreeBSD handbook&lt;/a&gt; on how to do that.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;options         IPSEC
device          crypto
options         IPSEC_FILTERTUNNEL
device          enc&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Assuming you are running a kernel that supports IPSec:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;cd&lt;/span&gt; /usr/ports/security/ipsec-tools
make install&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Pre-shared keys:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;vim /usr/local/etc/racoon/psk.txt&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;And add the IP address of the FreeBSD box:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;10.0.1.6      password&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;chmod 0600 /usr/local/etc/racoon/psk.txt&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Setup: /usr/local/etc/racoon/racoon.conf:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;c&quot;&gt;# search this file for pre_shared_key with various ID keys.&lt;/span&gt;
path pre_shared_key &lt;span class=&quot;s2&quot;&gt;&quot;/usr/local/etc/racoon/psk.txt&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;

&lt;span class=&quot;c&quot;&gt;# racoon will look for certificate file in the directory,&lt;/span&gt;
&lt;span class=&quot;c&quot;&gt;# if the certificate/certificate request payload is received.&lt;/span&gt;
path certificate &lt;span class=&quot;s2&quot;&gt;&quot;/etc/cert&quot;&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;

&lt;span class=&quot;c&quot;&gt;# &quot;padding&quot; defines some parameter of padding.  You should not touch these.&lt;/span&gt;
padding
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
  maximum_length 20&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;      &lt;span class=&quot;c&quot;&gt;# maximum padding length.&lt;/span&gt;
  randomize off&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;          &lt;span class=&quot;c&quot;&gt;# enable randomize length.&lt;/span&gt;
  strict_check off&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;       &lt;span class=&quot;c&quot;&gt;# enable strict check.&lt;/span&gt;
  exclusive_tail off&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;     &lt;span class=&quot;c&quot;&gt;# extract last one octet.&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;

&lt;span class=&quot;c&quot;&gt;# If no listen directive is specified, racoon will listen to all&lt;/span&gt;
&lt;span class=&quot;c&quot;&gt;# available interface addresses.&lt;/span&gt;
listen
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
  isakmp          10.0.1.5 &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;500]&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;

&lt;span class=&quot;c&quot;&gt;# Specification of default various timer.&lt;/span&gt;
timer
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
  &lt;span class=&quot;c&quot;&gt;# These value can be changed per remote node.&lt;/span&gt;
  counter 10&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;             &lt;span class=&quot;c&quot;&gt;# maximum trying count to send.&lt;/span&gt;
  interval 3 sec&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;c&quot;&gt;# interval to resend (retransmit)&lt;/span&gt;
  persend 1&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;              &lt;span class=&quot;c&quot;&gt;# the number of packets per a send.&lt;/span&gt;

  &lt;span class=&quot;c&quot;&gt;# timer for waiting to complete each phase.&lt;/span&gt;
  phase1 30 sec&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  phase2 30 sec&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;

remote 10.0.1.6 &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;500]
&lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
  exchange_mode   main&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  doi             ipsec_doi&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  situation       identity_only&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  my_identifier   address 10.0.1.5&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  peers_identifier        address 10.0.1.6&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  lifetime        &lt;span class=&quot;nb&quot;&gt;time &lt;/span&gt;8 hour&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  passive         off&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  proposal_check  obey&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  generate_policy off&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;

    proposal &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
      encryption_algorithm    aes 256&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      hash_algorithm          sha512&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      authentication_method   pre_shared_key&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      lifetime &lt;span class=&quot;nb&quot;&gt;time           &lt;/span&gt;30 sec&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
      dh_group                16&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;

&lt;span class=&quot;c&quot;&gt;# NAS &amp;lt;-&amp;gt; Mac transport&lt;/span&gt;
sainfo address 10.0.1.5 any address 10.0.1.6 any &lt;span class=&quot;o&quot;&gt;{&lt;/span&gt;
  pfs_group 16&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  encryption_algorithm aes 256&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  authentication_algorithm hmac_sha512&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
  compression_algorithm deflate&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Setup: /usr/local/etc/racoon/setkey.conf:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;flush&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
spdflush&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;

&lt;span class=&quot;c&quot;&gt;# NAS &amp;lt;-&amp;gt; Mac transport&lt;/span&gt;
spdadd 10.0.1.5 10.0.1.6 any &lt;span class=&quot;nt&quot;&gt;-P&lt;/span&gt; out ipsec esp/transport//require ah/transport//require&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
spdadd 10.0.1.6 10.0.1.5 any &lt;span class=&quot;nt&quot;&gt;-P&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;in &lt;/span&gt;ipsec esp/transport//require ah/transport//require&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Configure pf rules /etc/pf.conf:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;c&quot;&gt;# IPSec&lt;/span&gt;
pass &lt;span class=&quot;k&quot;&gt;in &lt;/span&gt;quick proto esp from any to any
pass &lt;span class=&quot;k&quot;&gt;in &lt;/span&gt;quick proto ah from any to any
pass &lt;span class=&quot;k&quot;&gt;in &lt;/span&gt;quick proto ipencap from any to any
pass &lt;span class=&quot;k&quot;&gt;in &lt;/span&gt;quick proto udp from any &lt;span class=&quot;nv&quot;&gt;port&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;500 to any &lt;span class=&quot;nv&quot;&gt;port&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;500
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any &lt;span class=&quot;nv&quot;&gt;port&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;500 to any &lt;span class=&quot;nv&quot;&gt;port&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;500&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Add to /etc/rc.conf&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;c&quot;&gt;# IPSec&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;ipsec_enable&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;YES&quot;&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;ipsec_program&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;/usr/local/sbin/setkey&quot;&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;ipsec_file&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;/usr/local/etc/racoon/setkey.conf&quot;&lt;/span&gt; &lt;span class=&quot;c&quot;&gt;# allows setting up spd policies on boot&lt;/span&gt;
&lt;span class=&quot;nv&quot;&gt;racoon_enable&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;yes&quot;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Run:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;sysctl net.inet.ipsec.filtertunnel&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;1
sysctl net.inet6.ipsec6.filtertunnel&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;1&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Add to /etc/sysctl.conf to persist:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;c&quot;&gt;# IPSec filtering&lt;/span&gt;
net.inet.ipsec.filtertunnel&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;1
net.inet6.ipsec6.filtertunnel&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;1&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

</description>
        <pubDate>Mon, 20 Jan 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/01/20/ipsec-between-freebsd-and-mac-osx/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/01/20/ipsec-between-freebsd-and-mac-osx/</guid>
      </item>
    
      <item>
        <title>Setup Google Authenticator on FreeBSD</title>
        <description>&lt;p&gt;Run as root:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;cd&lt;/span&gt; /usr/ports/security/pam_google_authenticator
make install
mkdir /var/lib/google-authenticator&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Edit &lt;code class=&quot;highlighter-rouge&quot;&gt;/etc/pam.d/sshd&lt;/code&gt;:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;auth      required    pam_google_authenticator.so nullok noskewadj&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Edit &lt;code class=&quot;highlighter-rouge&quot;&gt;/etc/pam.d/system&lt;/code&gt;:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;auth      required    pam_google_authenticator.so nullok noskewadj&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Leave out nullok if you do not want to allow users without having google-authenticator configured to be able to log in.&lt;br /&gt;
Be sure your root account has google-authenticator setup if you remove nullok and added it to /etc/pam.d/system.&lt;/p&gt;

&lt;p&gt;Run &lt;code class=&quot;highlighter-rouge&quot;&gt;google-authenticator&lt;/code&gt; with every user you want to be able to use it.&lt;/p&gt;

</description>
        <pubDate>Sun, 12 Jan 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/01/12/setup-google-authenticator-on-freebsd/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/01/12/setup-google-authenticator-on-freebsd/</guid>
      </item>
    
      <item>
        <title>Securing FreeBSD. A living Post.</title>
        <description>&lt;p&gt;In this post I’m collecting snippets that make FreeBSD more secure.&lt;br /&gt;
I’ll be making updates to this post on an ongoing basis.&lt;/p&gt;

&lt;h1 id=&quot;do-not-allow-unprivileged-users--to-use-the-ptrace-system-call&quot;&gt;Do not allow unprivileged users  to use the ptrace system call&lt;/h1&gt;

&lt;p&gt;To disable ptrace for unprivileged users, run as root:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;sysctl security.bsd.unprivileged_proc_debug&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'security.bsd.unprivileged_proc_debug=0'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/sysctl.conf&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;More information: &lt;a href=&quot;http://lists.freebsd.org/pipermail/freebsd-security/2013-June/007067.html&quot;&gt;FreeBSD Security Advisory FreeBSD-SA-13:06.mmap [REVISED]&lt;/a&gt;&lt;/p&gt;
</description>
        <pubDate>Sat, 11 Jan 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/01/11/securing-freebsd-a-living-post/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/01/11/securing-freebsd-a-living-post/</guid>
      </item>
    
      <item>
        <title>ZFS Full Disk Encryption with FreeBSD 10 - Part 2</title>
        <description>&lt;h1 id=&quot;part-1&quot;&gt;Part 1&lt;/h1&gt;

&lt;p&gt;Before continuing, be sure to &lt;a href=&quot;/2014/01/06/zfs-full-disk-encryption-with-freebsd-10-part-1/&quot;&gt;read part 1&lt;/a&gt; of this blogpost.&lt;/p&gt;

&lt;h1 id=&quot;what-you-will-need&quot;&gt;What you will need&lt;/h1&gt;

&lt;ul&gt;
  &lt;li&gt;1 at least 1GB USB stick for the FreeBSD installer image&lt;/li&gt;
  &lt;li&gt;1 or more xGB USB sticks for the boot files and encryption keys&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You should create multiple copies of the USB stick that holds the boot files and encryption keys. If you lose the stick or the data gets corrupted and you don’t have another copy, all your data stored on the encrypted disks is lost.&lt;/p&gt;

&lt;h1 id=&quot;booting-the-freebsd-installer&quot;&gt;Booting the FreeBSD Installer&lt;/h1&gt;

&lt;p&gt;I’m using a USB stick with the FreeBSD 10 memstick image to boot into the FreeBSD installer. &lt;a href=&quot;/2014/01/04/getting-the-freebsd-10-installer-onto-an-usb-stick-under-mac-os-x/&quot;&gt;See here&lt;/a&gt; for a Mac OS X guide on how to get the memstick image onto a USB stick.&lt;/p&gt;

&lt;p&gt;Now after your system finishes booting from the USB stick, it should present you with a blue, text-based installer giving you three options:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Install&lt;/li&gt;
  &lt;li&gt;Shell&lt;/li&gt;
  &lt;li&gt;Live CD&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We will start by dropping into the &lt;strong&gt;shell&lt;/strong&gt; and run &lt;code class=&quot;highlighter-rouge&quot;&gt;su -&lt;/code&gt; to get a root shell.&lt;/p&gt;

&lt;h1 id=&quot;sshd&quot;&gt;SSHd&lt;/h1&gt;

&lt;p&gt;I will assume that your server is connected to your LAN during the installation.
That way we can start an SSH daemon from the installer image and use our Mac or PC to enter the setup commands or copy files to the server.&lt;/p&gt;

&lt;p&gt;So, on the shell on your server, run&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;ifconfig
bge0: &lt;span class=&quot;nv&quot;&gt;flags&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;8843&amp;lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&amp;gt; metric 0 mtu 1500
	&lt;span class=&quot;nv&quot;&gt;options&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;c019b&amp;lt;RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE&amp;gt;
	ether XX:XX:XX:XX:XX:XX
	nd6 &lt;span class=&quot;nv&quot;&gt;options&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;29&amp;lt;PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL&amp;gt;
	media: Ethernet autoselect &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;1000baseT &amp;lt;full-duplex&amp;gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
	status: active
lo0: &lt;span class=&quot;nv&quot;&gt;flags&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;8049&amp;lt;UP,LOOPBACK,RUNNING,MULTICAST&amp;gt; metric 0 mtu 16384
	&lt;span class=&quot;nv&quot;&gt;options&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;600003&amp;lt;RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6&amp;gt;
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 &lt;span class=&quot;nv&quot;&gt;options&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;21&amp;lt;PERFORMNUD,AUTO_LINKLOCAL&amp;gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;to identify your network interface name. In my case it’s &lt;code class=&quot;highlighter-rouge&quot;&gt;bge0&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;And then:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;dhclient &amp;lt;your-network-interface-name&amp;gt;
DHCPDISCOVER on bge0 to 255.255.255.255 port 67 interval 8
DHCPOFFER from 192.168.1.1
DHCPREQUEST on bge0 to 255.255.255.255 port 67
DHCPACK from 192.168.1.1
bound to 192.168.1.45 &lt;span class=&quot;nt&quot;&gt;--&lt;/span&gt; renewal &lt;span class=&quot;k&quot;&gt;in &lt;/span&gt;21600 seconds.&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;to get an IPv4 address, in my case &lt;code class=&quot;highlighter-rouge&quot;&gt;192.168.1.45&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;If your LAN does not offer you an IP address via DHCP, run &lt;code class=&quot;highlighter-rouge&quot;&gt;man ifconfig&lt;/code&gt; and read up on how to configure a network card manually.&lt;/p&gt;

&lt;p&gt;Let’s say your server is now connected to your LAN and has an IPv4 address. We can now start an SSH daemon by running:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;mkdir /tmp/etc
mount_unionfs /tmp/etc /etc
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&quot;PermitRootLogin yes&quot;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/ssh/sshd_config
passwd root
service sshd onestart&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;The root password you are asked to enter is just for the installer; it’s not the root password you will use later for your installation.&lt;/p&gt;

&lt;p&gt;Now to login to the installer image by running &lt;code class=&quot;highlighter-rouge&quot;&gt;ssh root@&amp;lt;ip-address-of-your-server&amp;gt;&lt;/code&gt; on your Mac or PC.&lt;/p&gt;

&lt;p&gt;This guide should also work if you enter all the commands on the command line yourself, but doing it over SSH is more convenient.&lt;/p&gt;

&lt;h1 id=&quot;identifying-your-disks&quot;&gt;Identifying your disks&lt;/h1&gt;

&lt;p&gt;Now let’s see which storage devices are connected to your server:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;camcontrol devlist
&amp;lt;VB0250EAVER HPG9&amp;gt;                 at scbus0 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;pass0,ada0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&amp;lt;VB0250EAVER HPG9&amp;gt;                 at scbus1 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;pass1,ada1&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&amp;lt;ST4000VN000-1H4168 SC43&amp;gt;          at scbus2 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;pass2,ada2&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&amp;lt;ST4000VN000-1H4168 SC43&amp;gt;          at scbus3 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;pass3,ada3&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&amp;lt;Sony USB Stick&amp;gt;                   at scbus6 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;pass4,da0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;In my case I have four hard disks and one USB stick (&lt;code class=&quot;highlighter-rouge&quot;&gt;da0&lt;/code&gt;)
We’ll create two zpools, one for the OS installation and for data.
In my case I’ll use the disks &lt;code class=&quot;highlighter-rouge&quot;&gt;ada0&lt;/code&gt; and &lt;code class=&quot;highlighter-rouge&quot;&gt;ada1&lt;/code&gt; for the OS and &lt;code class=&quot;highlighter-rouge&quot;&gt;ada2&lt;/code&gt; and &lt;code class=&quot;highlighter-rouge&quot;&gt;ada3&lt;/code&gt; for my data.&lt;/p&gt;

&lt;p&gt;The device names are probably different on your system. Please consult &lt;a href=&quot;https://www.freebsd.org/doc/handbook/disk-organization.html#basics-dev-codes&quot;&gt;FreeBSD Disk device names&lt;/a&gt; to find out how FreeBSD names attached storage devices.&lt;/p&gt;

&lt;h1 id=&quot;randomizing&quot;&gt;Randomizing&lt;/h1&gt;

&lt;p&gt;We will start by writing random data to the two operating system disks.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;dd &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/dev/random &lt;span class=&quot;nv&quot;&gt;of&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/dev/ada0 &lt;span class=&quot;nv&quot;&gt;bs&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;1m &amp;amp;
dd &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/dev/random &lt;span class=&quot;nv&quot;&gt;of&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/dev/ada1 &lt;span class=&quot;nv&quot;&gt;bs&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;1m&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;This will take a very long time, depending on how big your disks are.&lt;/p&gt;

&lt;h1 id=&quot;partitioning&quot;&gt;Partitioning&lt;/h1&gt;

&lt;p&gt;Now let’s start partitioning the disks. This is what the layout will look like in the end:&lt;/p&gt;

&lt;div class=&quot;highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;| Hard Disk Device | Partition 1               | Partition 2                        |
-------------------------------------------------------------------------------------
| ada0             | ada0p1 freebsd-swap       | ada0p2 freebsd-zfs OS installation |
| ada1             | ada1p1 freebsd-swap       | ada1p2 freebsd-zfs OS installation |
-------------------------------------------------------------------------------------
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;As I said, we are going to store the bootcode, kernel and keyfiles on a USB stick, so there is no need for a boot partition.&lt;/p&gt;

&lt;p&gt;You might also notice that we’ll create separate swap partitions and won’t use a ZVOL for swap. &lt;a href=&quot;/2014/01/05/freebsd-10-does-swap-work-on-a-zvol/&quot;&gt;Here is why.&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The next steps will destroy any data on your drives:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;To better understand the following commands it would be a good idea to read the manpage of gpart: &lt;code class=&quot;highlighter-rouge&quot;&gt;man gpart&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Clean the drives of existing partition tables:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;gpart destroy &lt;span class=&quot;nt&quot;&gt;-F&lt;/span&gt; ada0
gpart destroy &lt;span class=&quot;nt&quot;&gt;-F&lt;/span&gt; ada1&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;If you get a message like &lt;code class=&quot;highlighter-rouge&quot;&gt;gpart: arg0 'ada2': Invalid argument&lt;/code&gt;, that’s fine and you can ignore it. It just means that there was no partition table on the disk anyway.&lt;/p&gt;

&lt;p&gt;Create a GPT partition table on each disk:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;gpart create &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; gpt ada0
gpart create &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; gpt ada1&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Nowadays, disks (especially very large ones) use a sector format called “&lt;a href=&quot;http://en.wikipedia.org/wiki/Advanced_Format&quot;&gt;Advanced Format&lt;/a&gt;”. Long story short, even if you don’t have Advanced Format disks, we are going to align the partitions with 4K sectors. &lt;a href=&quot;http://savagedlight.me/2012/07/15/freebsd-zfs-advanced-format/&quot;&gt;This blog post&lt;/a&gt; explains it quite well in a ZFS/FreeBSD context.&lt;/p&gt;

&lt;p&gt;Next we are going to create the swap partition. You will have to choose how big your swap partition is going to be. I’ll create a swap partition of the same size as the memory I’m planning on having in the server, so I’ll choose 16GB. You might have different needs. &lt;a href=&quot;https://wiki.freebsd.org/SystemTuning#Swap&quot;&gt;https://wiki.freebsd.org/SystemTuning#Swap&lt;/a&gt; suggests the following:&lt;/p&gt;

&lt;blockquote&gt;
  &lt;p&gt;Size swap space to approximately twice the size of main memory on systems with less than 4GB RAM and the size of main memory for systems with more than 4GB. If in doubt, allocate more swap; allocating insufficient swap is far worse than allocating too much. If the system has multiple disks, reduce swap I/O contention by spreading swap across the disks, ideally in equally sized partitions.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;We are using labels so we can more easily replace hardware later.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;gpart add &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; swap0 &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; freebsd-swap &lt;span class=&quot;nt&quot;&gt;-a&lt;/span&gt; 1m &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; 16G ada0 &lt;span class=&quot;c&quot;&gt;# start at 4096 * 256 byte&lt;/span&gt;
gpart add &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; swap1 &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; freebsd-swap &lt;span class=&quot;nt&quot;&gt;-a&lt;/span&gt; 1m &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; 16G ada1 &lt;span class=&quot;c&quot;&gt;# start at 4096 * 256 byte&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Now for the OS partition. Because I still have a few spare 160GB drives, I’m only going to use 140GB for the OS partition, so that if one of the current disks fails, I can easily replace it with one of my 160GB spares.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;gpart add &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; zroot0 &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; 140G &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; freebsd-zfs ada0 &lt;span class=&quot;c&quot;&gt;# only use 140GB&lt;/span&gt;
gpart add &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; zroot1 &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; 140G &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; freebsd-zfs ada1 &lt;span class=&quot;c&quot;&gt;# only use 140GB&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;If you want to use all the remaining space on your disks (&lt;strong&gt;which is what I would normally do&lt;/strong&gt;), run this instead:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;gpart add &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; zroot0 &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; freebsd-zfs ada0 &lt;span class=&quot;c&quot;&gt;# use the whole remaining space&lt;/span&gt;
gpart add &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; zroot1 &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; freebsd-zfs ada1 &lt;span class=&quot;c&quot;&gt;# use the whole remaining space&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;What have we done?&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@:~ &lt;span class=&quot;c&quot;&gt;# gpart show ada0&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&amp;gt;&lt;/span&gt;       34  390721901  ada0  GPT  &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;186G&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
         34       2014        - free -  &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;1.0M&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
       2048   33554432     1  freebsd-swap  &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;16G&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
   33556480  293601280     2  freebsd-zfs  &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;140G&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
  327157760   63564175        - free -  &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;30G&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;

root@:~ &lt;span class=&quot;c&quot;&gt;#  gpart show ada1&lt;/span&gt;
&lt;span class=&quot;o&quot;&gt;=&amp;gt;&lt;/span&gt;       34  488397101  ada1  GPT  &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;233G&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
         34       2014        - free -  &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;1.0M&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
       2048   33554432     1  freebsd-swap  &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;16G&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
   33556480  454840655     2  freebsd-zfs  &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;217G&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;We will come back to the two empty data disks later.&lt;/p&gt;

&lt;h1 id=&quot;swap-raid-1&quot;&gt;SWAP Raid 1&lt;/h1&gt;

&lt;p&gt;Since we have two OS disks that…&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;kldload geom_mirror
gmirror label &lt;span class=&quot;nt&quot;&gt;-b&lt;/span&gt; load &lt;span class=&quot;nt&quot;&gt;-F&lt;/span&gt; swap /dev/gpt/swap0 /dev/gpt/swap1&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h1 id=&quot;encryption&quot;&gt;Encryption&lt;/h1&gt;

&lt;p&gt;We are going to use GELI for the encryption. Basically it will encrypt each sector transparently. ZFS itself doesn’t know it is being encrypted:&lt;/p&gt;

&lt;div class=&quot;highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;| ZFS                |
| GELI Encryption    | 
| Physical Hard Disk |
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;h2 id=&quot;preparation&quot;&gt;Preparation&lt;/h2&gt;

&lt;p&gt;Load the kernel modules that are needed for GEOM and ZFS:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;kldload opensolaris
kldload zfs
kldload geom_eli&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h2 id=&quot;swap&quot;&gt;Swap&lt;/h2&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;geli onetime &lt;span class=&quot;nt&quot;&gt;-d&lt;/span&gt; &lt;span class=&quot;nt&quot;&gt;-e&lt;/span&gt; AES-XTS &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; 256 &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; 4096 /dev/mirror/swap&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h2 id=&quot;operating-system-partitions&quot;&gt;Operating System Partitions&lt;/h2&gt;

&lt;p&gt;Insert the USB stick that you plan to use as a boot device. Mine is da1.
You will usually see some debug output about the just-connected USB stick on the server shell (not via SSH). It should also show the device name.&lt;/p&gt;

&lt;p&gt;But you can always check your devices again with:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;camcontrol devlist
&amp;lt;VB0250EAVER HPG9&amp;gt;                 at scbus0 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;pass0,ada0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&amp;lt;VB0250EAVER HPG9&amp;gt;                 at scbus1 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;pass1,ada1&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&amp;lt;ST4000VN000-1H4168 SC43&amp;gt;          at scbus2 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;pass2,ada2&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&amp;lt;ST4000VN000-1H4168 SC43&amp;gt;          at scbus3 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;pass3,ada3&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&amp;lt;Sony USB Stick&amp;gt;                   at scbus6 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;pass4,da0&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&amp;lt;Sony USB Stick&amp;gt;                   at scbus7 target 0 lun 0 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;da1,pass5&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Create the boot partition and install bootcode:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;gpart destroy &lt;span class=&quot;nt&quot;&gt;-F&lt;/span&gt; da1
gpart create &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; gpt da1

gpart add &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; gptboot0 &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; 512k &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; freebsd-boot da1

gpart bootcode &lt;span class=&quot;nt&quot;&gt;-b&lt;/span&gt; /boot/pmbr &lt;span class=&quot;nt&quot;&gt;-p&lt;/span&gt; /boot/gptzfsboot &lt;span class=&quot;nt&quot;&gt;-i&lt;/span&gt; 1 da1&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Let’s create the ZFS partition and boot pool:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;gpart add &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; boot0 &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; freebsd-zfs da1

mkdir &lt;span class=&quot;nt&quot;&gt;-p&lt;/span&gt; /tmp/mnt/bootpool

zpool create &lt;span class=&quot;nt&quot;&gt;-m&lt;/span&gt; /tmp/mnt/bootpool bootpool /dev/gpt/boot0

mkdir &lt;span class=&quot;nt&quot;&gt;-p&lt;/span&gt; /tmp/mnt/bootpool/boot/zfs

mount_nullfs /tmp/mnt/bootpool/boot/zfs /boot/zfs&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Create OS encryption key:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;mkdir /tmp/mnt/bootpool/boot/keys
dd &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/dev/random &lt;span class=&quot;nv&quot;&gt;of&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/tmp/mnt/bootpool/boot/keys/zroot_encryption.key &lt;span class=&quot;nv&quot;&gt;bs&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;64 &lt;span class=&quot;nv&quot;&gt;count&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;1&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Encrypt OS disks:&lt;/p&gt;

&lt;p&gt;Choosing your password &lt;a href=&quot;http://security.stackexchange.com/questions/25375/why-not-use-larger-cipher-keys/25392#25392&quot;&gt;how long&lt;/a&gt;&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;mkdir /tmp/mnt/bootpool/boot/metadata_backup

geli init &lt;span class=&quot;nt&quot;&gt;-b&lt;/span&gt; &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; 4096 &lt;span class=&quot;nt&quot;&gt;-e&lt;/span&gt; AES-XTS &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; 256 &lt;span class=&quot;nt&quot;&gt;-K&lt;/span&gt; /tmp/mnt/bootpool/boot/keys/zroot_encryption.key &lt;span class=&quot;nt&quot;&gt;-B&lt;/span&gt; /tmp/mnt/bootpool/boot/metadata_backup/ada0p2.eli /dev/ada0p2
geli init &lt;span class=&quot;nt&quot;&gt;-b&lt;/span&gt; &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; 4096 &lt;span class=&quot;nt&quot;&gt;-e&lt;/span&gt; AES-XTS &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; 256 &lt;span class=&quot;nt&quot;&gt;-K&lt;/span&gt; /tmp/mnt/bootpool/boot/keys/zroot_encryption.key &lt;span class=&quot;nt&quot;&gt;-B&lt;/span&gt; /tmp/mnt/bootpool/boot/metadata_backup/ada1p2.eli /dev/ada1p2&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;geli attach &lt;span class=&quot;nt&quot;&gt;-k&lt;/span&gt; /tmp/mnt/bootpool/boot/keys/zroot_encryption.key /dev/ada0p2
geli attach &lt;span class=&quot;nt&quot;&gt;-k&lt;/span&gt; /tmp/mnt/bootpool/boot/keys/zroot_encryption.key /dev/ada1p2&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h1 id=&quot;zfs-zroot-pool&quot;&gt;ZFS zroot pool&lt;/h1&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;mkdir &lt;span class=&quot;nt&quot;&gt;-p&lt;/span&gt; /tmp/mnt/zroot

zpool create &lt;span class=&quot;nt&quot;&gt;-m&lt;/span&gt; none zroot mirror /dev/ada0p2.eli /dev/ada1p2.eli

zfs &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;checksum&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;on zroot
zfs &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;atime&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off zroot
zfs create zroot/ROOT
zfs create &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/tmp/mnt/zroot zroot/ROOT/default&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;because the eli devices have a sector size of 4096, zpool create automatically uses ashift=12&lt;/p&gt;

&lt;p&gt;check it with &lt;code class=&quot;highlighter-rouge&quot;&gt;zdb&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Remount boot pool:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;umount /boot/zfs
umount /tmp/mnt/bootpool

mkdir /tmp/mnt/zroot/bootpool
zfs &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/tmp/mnt/zroot/bootpool bootpool
zfs mount bootpool

mount_nullfs /tmp/mnt/zroot/bootpool/boot/zfs /boot/zfs&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Mounts should look like:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;root@:~ &lt;span class=&quot;c&quot;&gt;# mount&lt;/span&gt;
/dev/iso9660/FREEBSD_INSTALL on / &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;cd9660, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;, read-only&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
devfs on /dev &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;devfs, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;, multilabel&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
/dev/md0 on /var &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;ufs, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
/dev/md1 on /tmp &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;ufs, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
&amp;lt;above&amp;gt;:/tmp/etc on /etc &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;unionfs, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
zroot/ROOT/default on /tmp/mnt/zroot &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;zfs, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;, nfsv4acls&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
bootpool on /tmp/mnt/zroot/bootpool &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;zfs, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;, nfsv4acls&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
/tmp/mnt/zroot/bootpool/boot/zfs on /boot/zfs &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;nullfs, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h1 id=&quot;zfs-zroot-filesystems&quot;&gt;ZFS zroot filesystems&lt;/h1&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;zfs create &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/tmp/mnt/zroot/tmp &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;compression&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;lz4 &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;exec&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;on &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;setuid&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off zroot/tmp
chmod 1777 /tmp/mnt/zroot/tmp

zfs create &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/tmp/mnt/zroot/usr &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;canmount&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off zroot/usr

zfs create zroot/usr/home
&lt;span class=&quot;nb&quot;&gt;cd&lt;/span&gt; /tmp/mnt/zroot&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; ln &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; /usr/home home

zfs create &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;compression&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;lz4 &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;setuid&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off zroot/usr/ports
zfs create &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;compression&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;lz4 &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;exec&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;setuid&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off zroot/usr/src

zfs create &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/tmp/mnt/zroot/var zroot/var
zfs create &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;compression&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;lz4 &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;exec&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;setuid&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off zroot/var/crash
zfs create &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;compression&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;lz4 &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;exec&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;setuid&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off zroot/var/log

zfs create &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;compression&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;lz4 &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;atime&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;on zroot/var/mail

zfs create &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;compression&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;lz4 &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nb&quot;&gt;exec&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;on &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;setuid&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off zroot/var/tmp
chmod 1777 /tmp/mnt/zroot/var/tmp&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h1 id=&quot;installing-the-base-system&quot;&gt;Installing the base system&lt;/h1&gt;

&lt;p&gt;Available packages:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;ls&lt;/span&gt; /usr/freebsd-dist/
MANIFEST    base.txz    doc.txz     games.txz   kernel.txz  lib32.txz   ports.txz   src.txz   &lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;cd&lt;/span&gt; /tmp/mnt/zroot

unxz &lt;span class=&quot;nt&quot;&gt;-c&lt;/span&gt; /usr/freebsd-dist/base.txz | &lt;span class=&quot;nb&quot;&gt;tar &lt;/span&gt;xpf -
unxz &lt;span class=&quot;nt&quot;&gt;-c&lt;/span&gt; /usr/freebsd-dist/kernel.txz | &lt;span class=&quot;nb&quot;&gt;tar &lt;/span&gt;xpf -
unxz &lt;span class=&quot;nt&quot;&gt;-c&lt;/span&gt; /usr/freebsd-dist/src.txz | &lt;span class=&quot;nb&quot;&gt;tar &lt;/span&gt;xpf -
unxz &lt;span class=&quot;nt&quot;&gt;-c&lt;/span&gt; /usr/freebsd-dist/ports.txz | &lt;span class=&quot;nb&quot;&gt;tar &lt;/span&gt;xpf -&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Now let’s chroot into the new system:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;chroot /tmp/mnt/zroot&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Setup /boot:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;cd&lt;/span&gt; /
rm &lt;span class=&quot;nt&quot;&gt;-r&lt;/span&gt; boot/zfs
mv boot/&lt;span class=&quot;k&quot;&gt;*&lt;/span&gt; bootpool/boot/
rm &lt;span class=&quot;nt&quot;&gt;-r&lt;/span&gt; boot
ln &lt;span class=&quot;nt&quot;&gt;-sf&lt;/span&gt; bootpool/boot &lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;And an initial /boot/loader.conf that will load ZFS, encryption and settings for encrypted disks on boot:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'zfs_load=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'aesni_load=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'geom_mirror_load=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'geom_eli_load=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'geli_ada0p2_keyfile0_load=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'geli_ada0p2_keyfile0_type=&quot;ada0p2:geli_keyfile0&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'geli_ada0p2_keyfile0_name=&quot;/boot/keys/zroot_encryption.key&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'geli_ada1p2_keyfile0_load=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'geli_ada1p2_keyfile0_type=&quot;ada1p2:geli_keyfile0&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'geli_ada1p2_keyfile0_name=&quot;/boot/keys/zroot_encryption.key&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'vfs.root.mountfrom=&quot;zfs:zroot/ROOT/default&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'zpool_cache_load=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'zpool_cache_type=&quot;/boot/zfs/zpool.cache&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'zpool_cache_name=&quot;/boot/zfs/zpool.cache&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /boot/loader.conf&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Set root password:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;passwd root&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Set timezone:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;tzsetup&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Setup /etc/rc.conf&lt;/p&gt;

&lt;p&gt;Create file and enable ZFS:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'zfs_enable=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; /etc/rc.conf&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Set keymap:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;kbdmap&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Select your keymap and then write the output to /etc/rc.conf&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'keymap=&quot;german.iso.kbd&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/rc.conf&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Set hostname:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;HOSTNAME&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&amp;lt;name-of-your-host&amp;gt;
&lt;span class=&quot;nb&quot;&gt;echo &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;hostname&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$HOSTNAME&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/rc.conf
hostname &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&quot;&lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;$HOSTNAME&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Setup services. This is how I did it; you can change the ‘YES’ to ‘NO’ if you don’t want a service to be running on boot:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'sshd_enable=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/rc.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'moused_enable=&quot;NO&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/rc.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'ntpd_enable=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/rc.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'powerd_enable=&quot;YES&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/rc.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'dumpdev=&quot;NO&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/rc.conf&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Setup network:&lt;/p&gt;

&lt;p&gt;Again I assume that you have DHCP for IPv4 and router advertisements for IPv6.
Don’t forget to use the correct device name, in my case bge0:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'ifconfig_bge0=&quot;DHCP&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/rc.conf
&lt;span class=&quot;nb&quot;&gt;echo&lt;/span&gt; &lt;span class=&quot;s1&quot;&gt;'ifconfig_bge0_ipv6=&quot;inet6 accept_rtadv&quot;'&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/rc.conf&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Setup mail:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;cd&lt;/span&gt; /etc/mail
make aliases&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Setup /etc/fstab&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&quot;# Device&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\t\t&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;Mountpoint&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\t&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;FStype&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\t&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;Options&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\t\t&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;Dump&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\t&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;Pass#&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\n&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; /etc/fstab
&lt;span class=&quot;nb&quot;&gt;printf&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&quot;/dev/mirror/swap.eli&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\t\t&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;none&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\t&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;swap&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\t&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;sw&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\t\t&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\t&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\n&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/fstab&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Exit chroot:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;exit&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Unmount filesystems:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;cd&lt;/span&gt; /
umount /boot/zfs
zfs unmount &lt;span class=&quot;nt&quot;&gt;-a&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Setup ZFS mountpoints&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;zfs &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;legacy zroot/ROOT/default
zfs &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/tmp zroot/tmp
zfs &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/usr zroot/usr
zfs &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/var zroot/var
zfs &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/bootpool bootpool&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h1 id=&quot;reboot-into-the-new-system&quot;&gt;Reboot into the new system&lt;/h1&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;reboot&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;h1 id=&quot;creating-a-backup-boot-usb-stick&quot;&gt;Creating a backup boot USB stick&lt;/h1&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;gpart destroy &lt;span class=&quot;nt&quot;&gt;-F&lt;/span&gt; da1
gpart create &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; gpt da1

gpart add &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; gptboot0 &lt;span class=&quot;nt&quot;&gt;-s&lt;/span&gt; 512k &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; freebsd-boot da1
gpart bootcode &lt;span class=&quot;nt&quot;&gt;-b&lt;/span&gt; /boot/pmbr &lt;span class=&quot;nt&quot;&gt;-p&lt;/span&gt; /boot/gptzfsboot &lt;span class=&quot;nt&quot;&gt;-i&lt;/span&gt; 1 da1

gpart add &lt;span class=&quot;nt&quot;&gt;-l&lt;/span&gt; boot0 &lt;span class=&quot;nt&quot;&gt;-t&lt;/span&gt; freebsd-zfs da1

mkdir /mnt/boot
cp &lt;span class=&quot;nt&quot;&gt;-r&lt;/span&gt; /bootpool/boot/&lt;span class=&quot;k&quot;&gt;*&lt;/span&gt; /mnt/boot/

zpool &lt;span class=&quot;nb&quot;&gt;export &lt;/span&gt;bootpool

mkdir /mnt/newbootpool
zpool create &lt;span class=&quot;nt&quot;&gt;-m&lt;/span&gt; /mnt/newbootpool bootpool /dev/da1p2

&lt;span class=&quot;nb&quot;&gt;cd&lt;/span&gt; /mnt/newbootpool
mv /mnt/boot &lt;span class=&quot;nb&quot;&gt;.&lt;/span&gt;

&lt;span class=&quot;nb&quot;&gt;cd
&lt;/span&gt;zfs unmount bootpool
zfs &lt;span class=&quot;nb&quot;&gt;set &lt;/span&gt;&lt;span class=&quot;nv&quot;&gt;mountpoint&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/bootpool bootpool&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

</description>
        <pubDate>Tue, 07 Jan 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/01/07/zfs-full-disk-encryption-with-freebsd-10-part-2/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/01/07/zfs-full-disk-encryption-with-freebsd-10-part-2/</guid>
      </item>
    
      <item>
        <title>SSH exchange identification: Connection closed by remote host</title>
        <description>&lt;p&gt;When trying to connect to a remote server, you may sometimes get:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;SSH exchange identification: Connection closed by remote host&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;This might indicate an ongoing brute force attack against your server (&lt;em&gt;although there are several other reasons for that error message&lt;/em&gt;).&lt;/p&gt;

&lt;p&gt;If you have other means to get a shell on your server, you can check if a brute force attack is happening by tailing &lt;code class=&quot;highlighter-rouge&quot;&gt;/var/log/auth.log&lt;/code&gt;&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;tail &lt;span class=&quot;nt&quot;&gt;-f&lt;/span&gt; /var/log/auth.log
Jan  7 00:57:57 hostname sshd[10654]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:57:57 hostname sshd[10655]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:57:58 hostname sshd[10656]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:57:59 hostname sshd[10657]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:57:59 hostname sshd[10639]: Failed password &lt;span class=&quot;k&quot;&gt;for &lt;/span&gt;root from 59.63.167.174 port 53081 ssh2
Jan  7 00:58:00 hostname sshd[10658]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:00 hostname sshd[10659]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:01 hostname sshd[10662]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:01 hostname sshd[10663]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:01 hostname sshd[10639]: Failed password &lt;span class=&quot;k&quot;&gt;for &lt;/span&gt;root from 59.63.167.174 port 53081 ssh2
Jan  7 00:58:01 hostname sshd[10639]: Disconnecting: Too many authentication failures &lt;span class=&quot;k&quot;&gt;for &lt;/span&gt;root &lt;span class=&quot;o&quot;&gt;[&lt;/span&gt;preauth]
Jan  7 00:58:01 hostname sshd[10639]: PAM 5 more authentication failures&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;logname&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;uid&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0 &lt;span class=&quot;nv&quot;&gt;euid&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;0 &lt;span class=&quot;nv&quot;&gt;tty&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;ssh &lt;span class=&quot;nv&quot;&gt;ruser&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;rhost&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;59.63.167.174  &lt;span class=&quot;nv&quot;&gt;user&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;root
Jan  7 00:58:01 hostname sshd[10639]: PAM service&lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;sshd&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt; ignoring max retries&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; 6 &lt;span class=&quot;o&quot;&gt;&amp;gt;&lt;/span&gt; 3
Jan  7 00:58:02 hostname sshd[10665]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:06 hostname sshd[10666]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:07 hostname sshd[10668]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:08 hostname sshd[10669]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:13 hostname sshd[10689]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:14 hostname sshd[10692]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:19 hostname sshd[10695]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:25 hostname sshd[10697]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:31 hostname sshd[10699]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:37 hostname sshd[10716]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:42 hostname sshd[10730]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
Jan  7 00:58:48 hostname sshd[10732]: refused connect from 59.63.167.174 &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;59.63.167.174&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;In my case the IP &lt;code class=&quot;highlighter-rouge&quot;&gt;59.63.167.174&lt;/code&gt; tried to crack my root user’s password by brute force, which of course wouldn’t have worked anyway as you should never permit root login over SSH.&lt;/p&gt;

&lt;p&gt;We have mostly Debian or Ubuntu servers in production, and we usually install the package &lt;code class=&quot;highlighter-rouge&quot;&gt;denyhosts&lt;/code&gt;, which can stop this kind of attack by automatically adding the offender’s IP address to &lt;code class=&quot;highlighter-rouge&quot;&gt;/etc/hosts.deny&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Somehow that was forgotten during setup . . .&lt;/p&gt;

&lt;p&gt;A simple &lt;code class=&quot;highlighter-rouge&quot;&gt;sudo apt-get install denyhosts&lt;/code&gt; stopped the attack, and I no longer get &lt;code class=&quot;highlighter-rouge&quot;&gt;SSH exchange identification: Connection closed by remote host&lt;/code&gt; when trying to connect.&lt;/p&gt;

&lt;p&gt;&lt;img style=&quot;display: block; margin: 40px auto 0 auto; max-width: 300px&quot; src=&quot;/assets/posts/2014-01-07-ssh-exchange-identification-connection-closed-by-remote-host/gonnahack.jpg&quot; /&gt;&lt;/p&gt;

</description>
        <pubDate>Tue, 07 Jan 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/01/07/ssh-exchange-identification-connection-closed-by-remote-host/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/01/07/ssh-exchange-identification-connection-closed-by-remote-host/</guid>
      </item>
    
      <item>
        <title>ZFS Full Disk Encryption with FreeBSD 10 - Part 1</title>
        <description>&lt;p&gt;From the day I started using my first laptop, I became an &lt;em&gt;only one computer&lt;/em&gt; guy.&lt;br /&gt;
All data worth keeping was stored on that laptop (and the ones that followed).&lt;/p&gt;

&lt;p&gt;I didn’t like the idea of spreading my data over multiple machines like a home computer, an office computer and of course the laptop.&lt;br /&gt;
Having your data on only one machine makes backups simple, you always have your data with you, and you never loose control over your data as long as you keep your laptop nearby.&lt;/p&gt;

&lt;p&gt;Well, I did diverge a bit from that philosophy and started using &lt;a href=&quot;http://www.dropbox.com&quot;&gt;Dropbox&lt;/a&gt; to share files with colleagues and friends.&lt;/p&gt;

&lt;p&gt;There is of course one problem with using only a laptop to store your data: you are pretty limited in your storage size.&lt;/p&gt;

&lt;p&gt;I currently have a Retina MacBook Pro with a 512GB SSD drive that I use for my private data (gigabytes of photos and music) and professional development work, and I also have multiple virtual machines for testing and developing our software with different operating systems. So I usually keep on that Macbook only data that I cannot easily reproduce, and happily delete everything else.&lt;/p&gt;

&lt;h1 id=&quot;home-nas&quot;&gt;Home NAS&lt;/h1&gt;

&lt;p&gt;Anyhow, I need more storage space and decided to get myself a home NAS system. But that means that I will now have another system that I don’t always have with me, one that might get stolen or be accessed by someone else while I’m not around.&lt;/p&gt;

&lt;p&gt;So I need a system that securely encrypts all data at rest, which I can trust to contain no backdoors, and for which security vulnerabilities are timely published and fixed.&lt;/p&gt;

&lt;p&gt;Because of the recent NSA revelations and news like &lt;a href=&quot;https://news.ycombinator.com/item?id=6997159&quot;&gt;Backdoor found in Linksys, Netgear Routers&lt;/a&gt; and &lt;a href=&quot;http://yro.slashdot.org/story/13/10/03/1324222/lavabit-case-unsealed-fbi-demands-companies-secretly-turn-over-crypto-keys&quot;&gt;Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys&lt;/a&gt;, I don’t trust commercial closed source NAS solutions and went the DIY open source route.&lt;/p&gt;

&lt;p&gt;I’d normally only run Linux on my servers, but in this case I’m going to opt for FreeBSD for three reasons:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;Being able to use &lt;a href=&quot;http://en.wikipedia.org/wiki/ZFS&quot;&gt;ZFS&lt;/a&gt; as the storage system. While in the Linux world we have Btrfs, it’s not yet considered stable (a coworker of mine experienced data loss first hand). There is also ZFS on Linux, but I’m not sure how stable it is and ZFS on FreeBSD is part of the OS.&lt;/li&gt;
  &lt;li&gt;I like the FreeBSD philosophy of developing the whole base operating system in tandem with the kernel.&lt;/li&gt;
  &lt;li&gt;I have never used FreeBSD before (aside from OS X) and would like to take the opportunity to get more familiar with it.&lt;/li&gt;
&lt;/ul&gt;

&lt;h1 id=&quot;hardware&quot;&gt;Hardware&lt;/h1&gt;

&lt;p&gt;After doing some research I found the &lt;a href=&quot;http://www8.hp.com/us/en/products/proliant-servers/index.html#!view=grid&amp;amp;page=1&quot;&gt;HP ProLiant MicroServer&lt;/a&gt; line of servers. They are well-built, really inexpensive little machines.&lt;/p&gt;

&lt;p&gt;I opted for the slightly older HP ProLiant MicroServer G7 N54L with 2GB ECC RAM - upgradeable to 16GB. The MicroServer came with a &lt;a href=&quot;http://www.seagate.com/staticfiles/support/disc/manuals/desktop/Barracuda%207200.12/100529369b.pdf&quot;&gt;Seagate Barracuda 7200.12&lt;/a&gt; 250GB drive and three additional drive slots.&lt;/p&gt;

&lt;p&gt;While not having any hardware encryption accelerators (which might have their &lt;a href=&quot;http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/&quot;&gt;own problems&lt;/a&gt;) it’s a nice and very cheap machine.&lt;/p&gt;

&lt;p&gt;I’m getting started with a four-disk setup, which I can later expand to a six-disk setup by installing:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;http://www.amazon.de/gp/product/B00AWN8ILI/ref=oh_details_o00_s01_i01?ie=UTF8&amp;amp;psc=1&quot;&gt;a 5.25” Bay Extension Frame&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;a PCIe SATA card. &lt;a href=&quot;http://www.sybausa.com/productInfo.php?iid=1397&quot;&gt;Those&lt;/a&gt; &lt;a href=&quot;http://www.amazon.co.uk/Transcend-Information-TS-PDC3-Combo-Interface/dp/B0056TYT66&quot;&gt;two&lt;/a&gt; cards should fit and have the added benefit of two external USB3 ports.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The four-disk setup looks like this:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;MicroServer Bay 1: Operating System - 3.5” 250GB 7200RPM HDD&lt;/li&gt;
  &lt;li&gt;MicroServer Bay 2: Operating System - 2.5” 200GB 7200RPM HDD&lt;/li&gt;
  &lt;li&gt;MicroServer Bay 3: Data - 3.5” 4TB NAS HDD&lt;/li&gt;
  &lt;li&gt;MicroServer Bay 4: Data - 3.5” 4TB NAS HDD&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;I already had the 2.5” 200GB drive lying around and wanted to reuse it, so I printed a custom 2.5” to 3.5” adapter on our &lt;a href=&quot;http://printrbot.com&quot;&gt;Printrbot&lt;/a&gt;. Don’t bother buying a 2.5” to 3.5” mounting frame as it won’t position the 2.5” disk to fit the connector of the drive bay in the MicroServer.&lt;/p&gt;

&lt;p&gt;For the 4TB disks, the Seagate ST4000VN000 and WD Red series both seem like good choices.&lt;/p&gt;

&lt;p&gt;In case of running low on storage, I’d move the two smaller OS disks to the 5.25” bay and install an additional PCIe SATA card as well as two more 4TB drives.&lt;/p&gt;

&lt;p&gt;While the MicroServer could on its own support six drives by using a &lt;a href=&quot;http://n40l.wikia.com/wiki/Bios&quot;&gt;hacked BIOS&lt;/a&gt;, I prefer not to go that way. I want to be able to use the latest original HP BIOS and not have any unexpected problems due to running unsupported code.&lt;/p&gt;

&lt;p&gt;So the six-disk setup would look like this:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;5.25” Bay Extension Slot A: Operating System - 3.5” 250GB 7200RPM HDD&lt;/li&gt;
  &lt;li&gt;5.25” Bay Extension Slot B: Operating System - 2.5” 200GB 7200RPM HDD&lt;/li&gt;
  &lt;li&gt;MicroServer Bay 1: Data - 3.5” 4TB NAS HDD&lt;/li&gt;
  &lt;li&gt;MicroServer Bay 2: Data - 3.5” 4TB NAS HDD&lt;/li&gt;
  &lt;li&gt;MicroServer Bay 3: Data - 3.5” 4TB NAS HDD&lt;/li&gt;
  &lt;li&gt;MicroServer Bay 4: Data - 3.5” 4TB NAS HDD&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The first thing I’m probably gonna upgrade later is the RAM. Officially the MicroServer N54L only supports 8GB of ECC RAM, but others seem to have no problems with running 16GB ECC as well.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;A short word about ECC RAM: while non-ECC RAM would be cheaper and is also supported, don’t use it if you are running ZFS or &lt;a href=&quot;http://forums.freenas.org/threads/ecc-vs-non-ecc-ram-and-zfs.15449/&quot;&gt;you might lose your data&lt;/a&gt;!&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;I also bought four different USB sticks from three different brands that will store the bootloader, kernel and keyfiles, but more about that later. The smallest sticks I could get were 8GB, but much smaller ones would have been OK too.&lt;/p&gt;

&lt;h1 id=&quot;setup&quot;&gt;Setup&lt;/h1&gt;

&lt;blockquote&gt;
  &lt;p&gt;It’s All About the Software, Baby!&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Let’s finally talk about the setup, but first I’d like to note the blog posts that I based this guide on:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://www.dan.me.uk/blog/2012/05/06/full-disk-encryption-with-zfs-root-for-freebsd-9-x/&quot;&gt;Full Disk Encryption (with ZFS root) for FreeBSD 9.x&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://forums.freebsd.org/viewtopic.php?&amp;amp;t=2775&quot;&gt;HOWTO: GELI+ZFS for whole system inc. root with boot from USB stick&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://calomel.org/zfs_freebsd_root_install.html&quot;&gt;FreeBSD ZFS Root Install Script&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;http://daemonforums.org/showthread.php?t=7099&quot;&gt;HOWTO: FreeBSD ZFS Madness&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://wiki.freebsd.org/RootOnZFS/GPTZFSBoot&quot;&gt;FreeBSD Wiki&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;http://web.mr-happy.com/hackstuff/FreeBSD-ZFS.php&quot;&gt;ZFS-Only FreeBSD&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;http://daemon-notes.com/articles/system/encryption&quot;&gt;Encrypted FreeBSD&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;I’m probably going to mention the HP ProLiant MicroServer a few times, and some small details might be specific to my setup, but in general this guide should work on most machines.&lt;/p&gt;

&lt;p&gt;I’m aware that there are solutions like &lt;a href=&quot;http://www.freenas.org&quot;&gt;FreeNAS&lt;/a&gt; or &lt;a href=&quot;http://www.nas4free.org&quot;&gt;Nas4Free&lt;/a&gt;, but I prefer setting things up myself and having the latest FreeBSD version.&lt;/p&gt;

&lt;h2 id=&quot;the-plan&quot;&gt;The Plan&lt;/h2&gt;

&lt;p&gt;The plan is to have two zpools:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;code class=&quot;highlighter-rouge&quot;&gt;zroot&lt;/code&gt; for the FreeBSD OS installation on the two smaller disks&lt;/li&gt;
  &lt;li&gt;&lt;code class=&quot;highlighter-rouge&quot;&gt;zdata&lt;/code&gt; the pool I will use for storing my data (the whole reason I’m doing this setup)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Both &lt;code class=&quot;highlighter-rouge&quot;&gt;zroot&lt;/code&gt; and &lt;code class=&quot;highlighter-rouge&quot;&gt;zdata&lt;/code&gt; will be encrypted using 256-bit AES-XTS with GELI.&lt;br /&gt;
There will be no unencrypted data anywhere in the server, but we will create an unencrypted USB stick that contains &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot&lt;/code&gt; and the keyfiles that will be part of the passphrase to unlock the encrypted partitions.&lt;/p&gt;

&lt;p&gt;The idea is that we create a two-factor-authentication: &lt;em&gt;something you know and something you have&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;If you want to boot the server and decrypt the disk contents, you have know your passphrase, as well as have the USB stick.&lt;/p&gt;

&lt;p&gt;Without the USB stick or the passphrase, the disks cannot be decrypted. Because of that we will later create multiple backups of the USB stick, so if one gets broken, we have a backup.&lt;/p&gt;

&lt;p&gt;Of course you now have the problem of securely storing the USB sticks. But even if an attacker steals the USB stick from you, or you forget to remove it after booting, the server is still protected by the passphrase.&lt;/p&gt;

&lt;p&gt;The alternative would be to create a bootable partition on the OS disks and only protect the server with a passphrase. In that case you can just use the standard FreeBSD 10 installer and the automatic ZFS partitioning guide.&lt;/p&gt;

&lt;p&gt;So what will the disk layout look like?&lt;/p&gt;

&lt;p&gt;I’ll use the two smaller drives in a mirrored configuration for &lt;code class=&quot;highlighter-rouge&quot;&gt;zroot&lt;/code&gt; and the two 4TB drives, also in a mirrored configuration, for &lt;code class=&quot;highlighter-rouge&quot;&gt;zdata&lt;/code&gt;.&lt;br /&gt;
&lt;a href=&quot;http://constantin.glez.de/blog/2010/01/home-server-raid-greed-and-why-mirroring-still-best&quot;&gt;Here is a very good writeup&lt;/a&gt; on why it might be a better idea to use zmirror than zraid.&lt;/p&gt;

&lt;p&gt;To find out more about the FreeBSD boot process on ZFS, have a look at:&lt;/p&gt;

&lt;blockquote&gt;
  &lt;p&gt;&lt;a href=&quot;/2014/01/05/how-freebsd-boots-on-zfs/&quot;&gt;How FreeBSD Boots on ZFS&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h1 id=&quot;part-2&quot;&gt;Part 2&lt;/h1&gt;

&lt;p&gt;You will be able to find the actual install process in &lt;a href=&quot;/2014/01/07/zfs-full-disk-encryption-with-freebsd-10-part-2/&quot;&gt;part two of this blog post&lt;/a&gt;.&lt;/p&gt;

</description>
        <pubDate>Mon, 06 Jan 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/01/06/zfs-full-disk-encryption-with-freebsd-10-part-1/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/01/06/zfs-full-disk-encryption-with-freebsd-10-part-1/</guid>
      </item>
    
      <item>
        <title>How FreeBSD Boots on ZFS</title>
        <description>&lt;h1 id=&quot;uefi&quot;&gt;UEFI&lt;/h1&gt;

&lt;p&gt;Because FreeBSD UEFI support is not &lt;em&gt;&lt;a href=&quot;FreeBSDUEFI&quot;&gt;yet&lt;/a&gt;&lt;/em&gt; finished, the following will only describe how FreeBSD boots on a BIOS-based machine.&lt;br /&gt;
For more information on UEFI booting on FreeBSD look &lt;a href=&quot;https://wiki.freebsd.org/UEFI&quot;&gt;here&lt;/a&gt;, and for information on UEFI in general &lt;a href=&quot;http://wiki.osdev.org/UEFI&quot;&gt;here&lt;/a&gt;.&lt;/p&gt;

&lt;h1 id=&quot;bios-based-system&quot;&gt;BIOS-Based System&lt;/h1&gt;

&lt;p&gt;On a BIOS-based system, the BIOS tries to find the MBR in the first 512 bytes of the installed hard disks.
On the first hard disk where it finds an MBR it will start to execute the MBR’s boot code. The BIOS usually identifies the MBR by a special boot signature at the end of the MBR. More about that &lt;a href=&quot;http://en.wikipedia.org/wiki/Master_boot_record&quot;&gt;on Wikipedia&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The different MBRs available in FreeBSD are:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;http://svnweb.freebsd.org/base/releng/10.0/sys/boot/i386/boot0/boot0.S?revision=259065&amp;amp;view=markup&quot;&gt;/boot/boot0&lt;/a&gt;: MBR with boot menu&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;http://svnweb.freebsd.org/base/releng/10.0/sys/boot/i386/mbr/mbr.s?view=markup&quot;&gt;/boot/mbr&lt;/a&gt;: MBR that just boots the active partition&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;http://svnweb.freebsd.org/base/releng/10.0/sys/boot/i386/pmbr/pmbr.s?view=markup&quot;&gt;/boot/pmbr&lt;/a&gt;: a protective MBR that’s part of a GPT-based disk layout. It’s the one we’re going to use here.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;So what are the steps for getting the kernel into memory?&lt;br /&gt;
On a plain MBR x86 system, the boot chain ususually looks like this:&lt;/p&gt;

&lt;div class=&quot;highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;BIOS -&amp;gt; MBR (stage1) -&amp;gt; VBR (stage2) -&amp;gt; Boot Loader (stage3) on filesystem -&amp;gt; FreeBSD Kernel on filesystem

MBR = Master Boot Record = stage 1
VBR = Volume Boot Record = stage 2
The 3rd-stage boot loader is the one with the ASCII art splash screen.
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;And specifically in a non-ZFS FreeBSD system:&lt;/p&gt;

&lt;div class=&quot;highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;BIOS -&amp;gt; /boot/boot0 -&amp;gt; /boot/boot2 -&amp;gt; /boot/loader -&amp;gt; FreeBSD Kernel
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;The MBR - &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot/boot0&lt;/code&gt; - is stored in the first block of the hard disk and the VBR - &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot/boot2&lt;/code&gt; - in the first block of the partition.&lt;/p&gt;

&lt;div class=&quot;highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;|MBR     | Partition 1                       | Partition 2                       |
|MBR     | VBR | Filesystem of Partition 1   | VBR | Filesystem of Partition 2   |
|1 block | 1 b.|                             | 1 b.|                             |
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;I just want to note that when I say &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot/boot0&lt;/code&gt;, I’m referring to the copy of the MBR or VBR that you can find in &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot&lt;/code&gt;.&lt;br /&gt;
What I mean by this is that the file in &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot&lt;/code&gt; is not the actual MBR, but during installation of the OS, the installer copies the file &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot/boot0&lt;/code&gt; into the first block of the hard disk.&lt;/p&gt;

&lt;h3 id=&quot;gpt&quot;&gt;GPT&lt;/h3&gt;

&lt;p&gt;Since an MBR-based partitioning scheme can only address drives smaller than 2TB a replacement was needed. That replacement is &lt;a href=&quot;http://en.wikipedia.org/wiki/GUID_Partition_Table&quot;&gt;GPT&lt;/a&gt; (GUID Partition Table).&lt;/p&gt;

&lt;p&gt;But BIOS-based systems still need an MBR. Thus, part of a GPT setup is the PMBR or protective MBR, which contains the boot code to load the 2nd boot loader stage, as well as a partition table that contains only one entry spanning the whole disk. That’s how the protective MBR got its name, because a non-GPT-aware OS will think &lt;em&gt;there is a partition spanning the whole drive and I shouldn’t mess with it&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;So for a GPT partition scheme the boot chain looks like:&lt;/p&gt;

&lt;div class=&quot;highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;BIOS -&amp;gt; /boot/pmbr -&amp;gt; /boot/gptboot -&amp;gt; /boot/loader -&amp;gt; FreeBSD Kernel
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;And the disk layout:&lt;/p&gt;

&lt;div class=&quot;highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;|PMBR    | GPT Header | Partition 1 of type freebsd-boot | Partition 2 | Partition n... |
|1 block | 33 blocks  | /boot/gptboot                    | filesystem  | filesystem     |
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;The BIOS loads the protective MBR, which looks at GPT header / partition table, finds the first FreeBSD boot partition, and starts executing the 2nd-stage boot loader (which is stored in the beginning of the partition): &lt;a href=&quot;http://svnweb.freebsd.org/base/releng/10.0/sys/boot/i386/gptboot/gptboot.c?view=markup&quot;&gt;/boot/gptboot&lt;/a&gt; or with ZFS &lt;a href=&quot;http://svnweb.freebsd.org/base/releng/10.0/sys/boot/i386/zfsboot/zfsboot.c?view=markup&quot;&gt;/boot/gptzfsboot&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The 2nd-stage boot loader tries to load the 3rd stage, which is &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot/loader&lt;/code&gt; in the case of FreeBSD.&lt;br /&gt;
I haven’t checked the other 2nd-stage boot loaders, but &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot/gptboot&lt;/code&gt; at least tries to load a kernel directly at &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot/kernel/kernel&lt;/code&gt; if it cannot find the 3rd-stage boot loader.&lt;/p&gt;

&lt;h3 id=&quot;zfs&quot;&gt;ZFS&lt;/h3&gt;

&lt;p&gt;With a ZFS-based system the 3rd stage would be &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot/zfsloader&lt;/code&gt; and the chain looks like:&lt;/p&gt;

&lt;div class=&quot;highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;BIOS -&amp;gt; /boot/pmbr -&amp;gt; /boot/gptzfsboot -&amp;gt; /boot/zfsloader -&amp;gt; FreeBSD Kernel
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;Both &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot/gptzfsboot&lt;/code&gt; and &lt;code class=&quot;highlighter-rouge&quot;&gt;/boot/zfsloader&lt;/code&gt; are already able to read ZFS partitions and locate files necessary for booting.&lt;/p&gt;

&lt;p&gt;After installing the boot stages to disk the disk would look like:&lt;/p&gt;

&lt;div class=&quot;highlighter-rouge&quot;&gt;&lt;div class=&quot;highlight&quot;&gt;&lt;pre class=&quot;highlight&quot;&gt;&lt;code&gt;|MBR     | GPT Header | Partition 1                               | Partition 2                  |
|PMBR    | GPT Header | /boot/gptzfsboot (freebsd-boot partition) | freebsd-zfs containing /boot |
|1 block | 33 blocks  | usually not very big, e.g., 512k          | probably the zroot volume    |

1 block = 512 bytes

/boot/gptzfsboot starts at block 0 of partition 1
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;In a real setup you would probably have a freebsd-swap partition before or after the freebsd-zfs partition.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;http://www.freebsd.org/doc/en/books/arch-handbook/boot.html&quot;&gt;Some more&lt;/a&gt; information on the FreeBSD boot process on x86.&lt;/p&gt;

</description>
        <pubDate>Sun, 05 Jan 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/01/05/how-freebsd-boots-on-zfs/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/01/05/how-freebsd-boots-on-zfs/</guid>
      </item>
    
      <item>
        <title>FreeBSD 10: does SWAP work on a ZVOL?</title>
        <description>&lt;p&gt;TL;DR: No, keep them on separate swap partitions.&lt;/p&gt;

&lt;p&gt;–&lt;/p&gt;

&lt;p&gt;I’m working on a secure ZFS installation for my home NAS and plan to use ZFS as the filesystem. One goal is to have everything on disk encrypted.&lt;/p&gt;

&lt;p&gt;While the new FreeBSD 10 installer can automatically partition your hard disk with an encrypted ZFS setup, the &lt;code class=&quot;highlighter-rouge&quot;&gt;swap&lt;/code&gt; partition is not encrypted.&lt;/p&gt;

&lt;p&gt;I also plan to mirror the swap space, so that if one disk goes down in my RAID 1 (or zmirror) setup, the system will keep running.
If you placed a swap partition on each disk in a two-disk setup and they were not mirrored, the system would crash if one disk became unresponsive.&lt;/p&gt;

&lt;p&gt;So my first idea was just to store the swap space in the ZFS pool instead of creating a separate swap partition that would need to be mirrored and encrypted.&lt;/p&gt;

&lt;p&gt;Now, there are two options to store swap space on a ZFS pool:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;Use a file as swap space that is stored on a ZFS filesystem&lt;/li&gt;
  &lt;li&gt;Store the swap space in a ZVOL&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The first option is a no-go, because in case of low memory, ZFS needs memory to manage the disk writes to the swap file, but as there is no memory available it needs to write to the swap file, but ZFS needs memory to manage the disk writes to the swap file . . .&lt;/p&gt;

&lt;p&gt;The second option the internetz suggests is to create a ZVOL and use that as swap space.
That seems to work on first sight, and even Sun/Oracle suggested it in a &lt;a href=&quot;https://blogs.oracle.com/jimlaurent/entry/faq_using_zfs_for_swap&quot;&gt;blog post&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;Also, the FreeBSD Wiki has something to say on how to create a ZVOL usable for swap space:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;zfs create &lt;span class=&quot;nt&quot;&gt;-V&lt;/span&gt; 2G &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; org.freebsd:swap&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;on &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;checksum&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;compression&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;dedup&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;off &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;sync&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;disabled &lt;span class=&quot;nt&quot;&gt;-o&lt;/span&gt; &lt;span class=&quot;nv&quot;&gt;primarycache&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;none zroot/swap&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;&lt;strong&gt;But&lt;/strong&gt; they added a note:&lt;/p&gt;

&lt;blockquote&gt;
  &lt;p&gt;If there is no real memory available, the system might become unresponsive.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Because storing the swap space in a ZVOL would be much more convenient (at least if you don’t need kernel crash dumps, which wouldn’t work this way), I wanted to try for myself.&lt;/p&gt;

&lt;p&gt;I wrote a little C program that just allocates memory and then waits for 10 minutes so that the memory is not immediately released:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-c&quot; data-lang=&quot;c&quot;&gt;&lt;span class=&quot;cp&quot;&gt;#include &amp;lt;stdio.h&amp;gt;
#include &amp;lt;stdlib.h&amp;gt;
#include &amp;lt;time.h&amp;gt;
&lt;/span&gt;
&lt;span class=&quot;kt&quot;&gt;void&lt;/span&gt; &lt;span class=&quot;nf&quot;&gt;alloc_one_meg&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;()&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
    &lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;number_of_bytes_of_int&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;sizeof&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
    &lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;number_of_ints_for_one_megabyte&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;1024&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;1024&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;/&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;number_of_bytes_of_int&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;megabyte&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;malloc&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;k&quot;&gt;sizeof&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;number_of_ints_for_one_megabyte&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;

    &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;i&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;i&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;lt;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;number_of_ints_for_one_megabyte&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;i&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;++&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;n&quot;&gt;megabyte&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;i&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;rand&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;();&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;

&lt;span class=&quot;kt&quot;&gt;void&lt;/span&gt; &lt;span class=&quot;nf&quot;&gt;waitFor&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;kt&quot;&gt;unsigned&lt;/span&gt; &lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;secs&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
    &lt;span class=&quot;n&quot;&gt;printf&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&quot;waiting for %d seconds&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\n&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;secs&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;

    &lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;retTime&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;=&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;time&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;+&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;secs&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;while&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;time&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;lt;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;retTime&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;

&lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;nf&quot;&gt;main&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt; &lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;argc&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;kt&quot;&gt;char&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;*&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;argv&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[]&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
    &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;argc&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;!=&lt;/span&gt; &lt;span class=&quot;mi&quot;&gt;2&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
        &lt;span class=&quot;n&quot;&gt;printf&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt; &lt;span class=&quot;s&quot;&gt;&quot;usage: %s &amp;lt;megabytes&amp;gt;&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\n&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;argv&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;]&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;

    &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt; &lt;span class=&quot;k&quot;&gt;else&lt;/span&gt;  &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;

        &lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;number_of_megabytes&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt;
        &lt;span class=&quot;n&quot;&gt;sscanf&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;argv&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;[&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;1&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;],&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&quot;%d&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;&amp;amp;&lt;/span&gt;&lt;span class=&quot;n&quot;&gt;number_of_megabytes&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;

        &lt;span class=&quot;k&quot;&gt;for&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;kt&quot;&gt;int&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;i&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;0&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;i&lt;/span&gt; &lt;span class=&quot;o&quot;&gt;&amp;lt;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;number_of_megabytes&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;;&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;i&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;++&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt; &lt;span class=&quot;p&quot;&gt;{&lt;/span&gt;
            &lt;span class=&quot;n&quot;&gt;alloc_one_meg&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;();&lt;/span&gt;
        &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;

        &lt;span class=&quot;n&quot;&gt;printf&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&quot;allocated %d MB&lt;/span&gt;&lt;span class=&quot;se&quot;&gt;\n&lt;/span&gt;&lt;span class=&quot;s&quot;&gt;&quot;&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;,&lt;/span&gt; &lt;span class=&quot;n&quot;&gt;number_of_megabytes&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;

        &lt;span class=&quot;n&quot;&gt;waitFor&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;mi&quot;&gt;600&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;);&lt;/span&gt;
    &lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;
&lt;span class=&quot;p&quot;&gt;}&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Download link: &lt;a href=&quot;/assets/posts/2014-01-05-freebsd-10-does-work-on-a-zvol/memory.c&quot;&gt;memory.c&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;You can compile and run the program on a vanilla FreeBSD installation by running:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;c&quot;&gt;# clang -o memory memory.c&lt;/span&gt;
&lt;span class=&quot;c&quot;&gt;# ./memory &amp;lt;number of megabytes&amp;gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;My test system is a VMware virtual machine with 256MB RAM.&lt;/p&gt;

&lt;h1 id=&quot;swap-partition&quot;&gt;SWAP partition&lt;/h1&gt;

&lt;p&gt;Now let’s see how the system behaves if we run memory.c on an installation with a normal 2GB swap partition:&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2014-01-05-freebsd-10-does-work-on-a-zvol/swap_partition.png&quot; /&gt;&lt;/p&gt;

&lt;p&gt;The system stays responsive and kills memory.c as soon as it runs out of swap space.&lt;/p&gt;

&lt;h1 id=&quot;zvol&quot;&gt;ZVOL&lt;/h1&gt;

&lt;p&gt;Now let’s try the same thing with the swap space on a ZVOL:&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2014-01-05-freebsd-10-does-work-on-a-zvol/zvol_hang.png&quot; /&gt;&lt;/p&gt;

&lt;p&gt;It still replies to &lt;code class=&quot;highlighter-rouge&quot;&gt;ping&lt;/code&gt; requests, but it has stopped being responsive. You cannot kill memory.c or do anything else useful.&lt;/p&gt;

&lt;p&gt;&lt;img width=&quot;100%&quot; src=&quot;/assets/posts/2014-01-05-freebsd-10-does-work-on-a-zvol/swap_zvol_top.png&quot; /&gt;&lt;/p&gt;

&lt;p&gt;As you can see in the &lt;code class=&quot;highlighter-rouge&quot;&gt;top&lt;/code&gt; output, which I had running on the second console, the system has 256MB RAM and 512MB swap space. So the 300MB shouldn’t even have used up the whole swap space.&lt;/p&gt;

&lt;p&gt;And if you can trust the &lt;code class=&quot;highlighter-rouge&quot;&gt;top&lt;/code&gt; output, it crashed with only about 60MB of swap space used.&lt;/p&gt;

&lt;h1 id=&quot;conclusion&quot;&gt;Conclusion&lt;/h1&gt;

&lt;p&gt;Some people have suggested reserving memory via kernel parameters (&lt;a href=&quot;https://github.com/zfsonlinux/zfs/issues/342#issuecomment-5137629&quot;&gt;in that case ZFSOnLinux&lt;/a&gt;), but I’m aiming for a stable, maintainable system and reserving memory might just delay the problem, if it helped at all.&lt;/p&gt;

&lt;p&gt;So the way to go is to keep swap space off ZFS and use separate partitions - like the FreeBSD 10 ZFS installer already does.&lt;/p&gt;

</description>
        <pubDate>Sun, 05 Jan 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/01/05/freebsd-10-does-swap-work-on-a-zvol/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/01/05/freebsd-10-does-swap-work-on-a-zvol/</guid>
      </item>
    
      <item>
        <title>Getting the FreeBSD 10 installer onto a USB stick under Mac OS X</title>
        <description>&lt;p&gt;&lt;strong&gt;The following commands will only work in Mac OS X. For other operating systems see the &lt;a href=&quot;http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/bsdinstall-pre.html&quot;&gt;FreeBSD Handbook&lt;/a&gt;!&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;At the time of writing this post, FreeBSD 10 is in PRERELEASE mode and according to the &lt;a href=&quot;http://www.freebsd.org/releases/10.0R/schedule.html&quot;&gt;Release Schedule&lt;/a&gt; is nearly finished. So let’s get the latest snapshot from:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;ftp://ftp.freebsd.org/pub/FreeBSD/snapshots/ISO-IMAGES/10.0/&quot;&gt;ftp://ftp.freebsd.org/pub/FreeBSD/snapshots/ISO-IMAGES/10.0/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After FreeBSD 10 has been released, just go to &lt;a href=&quot;http://www.freebsd.org/where.html&quot;&gt;http://www.freebsd.org/where.html&lt;/a&gt; and download the latest RELEASE version.&lt;/p&gt;

&lt;p&gt;I’m using the AMD64 memstick image as my server has a 64-bit CPU:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;curl &lt;span class=&quot;nt&quot;&gt;-O&lt;/span&gt; ftp://ftp.freebsd.org/pub/FreeBSD/snapshots/ISO-IMAGES/10.0/FreeBSD-10.0-PRERELEASE-amd64-20131230-r260064-memstick.img&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Now connect your USB stick to your Mac and find the device name with &lt;code class=&quot;highlighter-rouge&quot;&gt;mount&lt;/code&gt;:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;mount
/dev/disk1 on / &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;hfs, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;, journaled&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
devfs on /dev &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;devfs, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;, nobrowse&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
/dev/disk0s4 on /Volumes/BOOTCAMP &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;ntfs, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;, read-only, noowners&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
map &lt;span class=&quot;nt&quot;&gt;-hosts&lt;/span&gt; on /net &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;autofs, nosuid, automounted, nobrowse&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
map auto_home on /home &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;autofs, automounted, nobrowse&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;
/dev/disk2s1 on /Volumes/CORSAIR &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;msdos, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;, nodev, nosuid, noowners&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Your output might look a bit different. My USB stick is fresh out of the box and is FAT32 (MS-DOS) formated and called CORSAIR.&lt;/p&gt;

&lt;p&gt;If you’re not sure which line represents your USB stick:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;Remove the USB stick from your Mac&lt;/li&gt;
  &lt;li&gt;Run &lt;code class=&quot;highlighter-rouge&quot;&gt;mount&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;Insert your USB stick&lt;/li&gt;
  &lt;li&gt;Run &lt;code class=&quot;highlighter-rouge&quot;&gt;mount&lt;/code&gt; again and find the volume that was added&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The relevant line in my case is:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;/dev/disk2s1 on /Volumes/CORSAIR &lt;span class=&quot;o&quot;&gt;(&lt;/span&gt;msdos, &lt;span class=&quot;nb&quot;&gt;local&lt;/span&gt;, nodev, nosuid, noowners&lt;span class=&quot;o&quot;&gt;)&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Note that the USB stick is represented by &lt;code class=&quot;highlighter-rouge&quot;&gt;/dev/disk2&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;It’s very important that you use the correct device shown on YOUR system. If you use the wrong disk, the following dd command WILL DESTROY your data!&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Unmount the USB stick:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;diskutil umount /dev/disk2s1
Volume CORSAIR on disk2s1 unmounted&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;Now write the FreeBSD installer image to the USB stick. This will take some time.&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;sudo &lt;/span&gt;dd &lt;span class=&quot;k&quot;&gt;if&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;FreeBSD-10.0-PRERELEASE-amd64-20131230-r260064-memstick.img &lt;span class=&quot;nv&quot;&gt;of&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;/dev/disk2 &lt;span class=&quot;nv&quot;&gt;bs&lt;/span&gt;&lt;span class=&quot;o&quot;&gt;=&lt;/span&gt;64k
&lt;span class=&quot;nv&quot;&gt;$ &lt;/span&gt;sync&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

&lt;p&gt;You can now safely remove the USB stick from your Mac and use it to boot into the FreeBSD installer.&lt;/p&gt;

</description>
        <pubDate>Sat, 04 Jan 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/01/04/getting-the-freebsd-10-installer-onto-an-usb-stick-under-mac-os-x/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/01/04/getting-the-freebsd-10-installer-onto-an-usb-stick-under-mac-os-x/</guid>
      </item>
    
      <item>
        <title>Securing my WordPress Installation</title>
        <description>&lt;p&gt;I decided to reduce the number of possible attack vectors on my private server, and one of the first things that had to go was Apache2 and WordPress.&lt;/p&gt;

&lt;p&gt;While WordPress is not a very maintenance-intensive piece of software, nothing improves security as much as moving to a static blog engine, &lt;a href=&quot;http://jekyllrb.com/&quot;&gt;Jekyll&lt;/a&gt; in my case, and deploying the generated static files on GitHub.&lt;/p&gt;

&lt;p&gt;This is more or less a test post . . .&lt;/p&gt;
</description>
        <pubDate>Fri, 03 Jan 2014 00:00:00 +0100</pubDate>
        <link>http://www.schmidp.com/2014/01/03/jekyll/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2014/01/03/jekyll/</guid>
      </item>
    
      <item>
        <title>Hide PostgreSQL User in OS X Lion 10.7</title>
        <description>&lt;p&gt;After you install PostgreSQL 8.4 on Lion, a PostgreSQL user pops up in the login window.
To hide system users (including the PostgreSQL user), type the following in your terminal:&lt;/p&gt;

&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-sh&quot; data-lang=&quot;sh&quot;&gt;&lt;span class=&quot;nb&quot;&gt;sudo &lt;/span&gt;defaults write /Library/Preferences/com.apple.loginwindow Hide500Users &lt;span class=&quot;nt&quot;&gt;-bool&lt;/span&gt; TRUE&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;

</description>
        <pubDate>Mon, 01 Aug 2011 02:20:16 +0200</pubDate>
        <link>http://www.schmidp.com/2011/08/01/hide-postgresql-user-in-os-x-lion-10-7/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2011/08/01/hide-postgresql-user-in-os-x-lion-10-7/</guid>
      </item>
    
      <item>
        <title>Mac OS X 10.7 Lion TrueCrypt Howto</title>
        <description>&lt;p&gt;Just to save you some time: TrueCrypt 7.0a doesn’t work out of the box with Lion.&lt;/p&gt;

&lt;p&gt;To get it running, follow these steps:&lt;/p&gt;

&lt;ol&gt;
  &lt;li&gt;Download &amp;amp; install TrueCrypt 7.0a for Mac&lt;/li&gt;
  &lt;li&gt;Download &amp;amp; install: &lt;a href=&quot;http://www.tuxera.com/mac/macfuse-core-10.5-2.1.9.dmg&quot;&gt;http://www.tuxera.com/mac/macfuse-core-10.5-2.1.9.dmg&lt;/a&gt;&lt;/li&gt;
  &lt;li&gt;Reboot&lt;/li&gt;
  &lt;li&gt;Use TrueCrypt&lt;/li&gt;
&lt;/ol&gt;
</description>
        <pubDate>Tue, 07 Jun 2011 00:00:00 +0200</pubDate>
        <link>http://www.schmidp.com/2011/06/07/mac-os-x-10-7-lion-truecrypt-howto/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2011/06/07/mac-os-x-10-7-lion-truecrypt-howto/</guid>
      </item>
    
      <item>
        <title>Will iPhone 4 Blend?</title>
        <description>&lt;object width=&quot;640&quot; height=&quot;385&quot;&gt;&lt;param name=&quot;movie&quot; value=&quot;http://www.youtube.com/v/fLreo24WYeQ&amp;amp;rel=0&amp;amp;color1=0xb1b1b1&amp;amp;color2=0xd0d0d0&amp;amp;hl=en_US&amp;amp;feature=player_embedded&amp;amp;fs=1&quot; /&gt;&amp;lt;/param&amp;gt;&lt;param name=&quot;allowFullScreen&quot; value=&quot;true&quot; /&gt;&amp;lt;/param&amp;gt;&lt;param name=&quot;allowScriptAccess&quot; value=&quot;always&quot; /&gt;&amp;lt;/param&amp;gt;&lt;embed src=&quot;http://www.youtube.com/v/fLreo24WYeQ&amp;amp;rel=0&amp;amp;color1=0xb1b1b1&amp;amp;color2=0xd0d0d0&amp;amp;hl=en_US&amp;amp;feature=player_embedded&amp;amp;fs=1&quot; type=&quot;application/x-shockwave-flash&quot; allowfullscreen=&quot;true&quot; allowscriptaccess=&quot;always&quot; width=&quot;640&quot; height=&quot;385&quot; /&gt;&amp;lt;/embed&amp;gt;&lt;/object&gt;
</description>
        <pubDate>Sun, 27 Jun 2010 10:35:57 +0200</pubDate>
        <link>http://www.schmidp.com/2010/06/27/will-iphone-4-blend/</link>
        <guid isPermaLink="true">http://www.schmidp.com/2010/06/27/will-iphone-4-blend/</guid>
      </item>
    
  </channel>
</rss>