content/posts/uefi-full-disk-encryption.md

@@ -23,8 +23,8 @@ It has been a painful experience, full of bugs and kernel panics.
 I've post some of them in the Fediverse.
 Like [here](https://mastodon.bsd.cafe/@release_candidate/112520904317829098) and [here](https://mastodon.bsd.cafe/@release_candidate/112128737628556050).
 
-One of the weakest points that I've seen in NetBSD is the installer.
-If you need a simple installation *it just works* ™.
+One of the weakest point that I've seen in NetBSD is the installer.
+If you need a simple installation it just works ™.
 But as soon as you need some complex setup, like RAID mixed with encrypted partitions, or something similar, the installer is subpar.
 You will face some segfault from the installer, a kernel panic or another surprise.
 
@@ -39,7 +39,7 @@ Now, even today I have no idea how to have actual full disk encryption with NetB
 I've seen [a wonderful tutorial for full-disk encryption for MBR-based systems](https://www.unitedbsd.com/d/461-netbsd-full-disk-encryption-with-cgd), but not for UEFI.
 And my laptop doesn't really like to boot in old MBR mode.
 
-Following the [documentation on CGD drives](https://www.netbsd.org/docs/guide/en/chap-cgd.html#chap-cgd-example) and [the documentation on UEFI installations](https://wiki.netbsd.org/Installation_on_UEFI_systems/), I have a semi-full disk encryption.
+Following the [documentation of CGD drives](https://www.netbsd.org/docs/guide/en/chap-cgd.html#chap-cgd-example) and [the documentation on UEFI installations](https://wiki.netbsd.org/Installation_on_UEFI_systems/), I have a semi-full disk encryption.
 With plain-text root file-system, and encrypted `/home`, `/usr`, `/var` and swap.
 
 So, without further complaints, this is the way I have some disk encryption in UEFI systems with NetBSD.
@@ -299,8 +299,8 @@ Now I edit fstab to mount the CGD partitions.
 
 ```
 # vi /targetroot/etc/fstab
-```
-```
+
+# cat /targetroot/etc/fstab
 # NetBSD /etc/fstab
 # See /usr/share/examples/fstab/ for more examples.
 NAME=NetBSD     /       ffs     rw              1 1
@@ -322,8 +322,8 @@ The file rc.confg also needs to be edited
 
 ```
 # vi /targetroot/etc/rc.conf
-```
-```
+
+
 rc_configured=YES
 
 # Add local overrides below.
@@ -340,8 +340,7 @@ wscons=YES
 `rc_configured=YES` is important, otherwise the system will always boot in single-user mode.
 
 These are the variables I use for a new system.
-For example, my network device is `wm0`.
-And this example hostname is `marte.local`.
+For example, my network device is `wm0`,
 Your network card and requirements may be different.
 
 # Unmount and reboot
@@ -374,7 +373,7 @@ In the new system you may need to change root password:
 # passwd
 ```
 
-Install pkgin.
+Install pkgin:
 
 ```
 PATH="/usr/pkg/sbin:/usr/pkg/bin:$PATH"
@@ -384,14 +383,14 @@ PKG_PATH="http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/10.0/All/"
 # pkg_add pkgin
 ```
 
-And add a new user.
+And add a new user:
 
 
 ```
 # useradd -m -G wheel -k /etc/skel vsis
 ```
 
-And, of course, RTFM.
+And, of course RTFM:
 
 ```
 # man afterboot
@@ -403,8 +402,4 @@ This is the method I use to install a semi-full disk encrypted NetBSD system.
 I may add RAID devices, LVM, multiple disks, etc.
 Then mount everything under `/targetroot` and extract the sets.
 
-The restriction is in the root file-system.
-It needs to be in plain-text and in a regular partition.
-It seems to me that rootfs in CGD or LVM is not well supported.
-
 I may be biased by [the Arch way](https://wiki.archlinux.org/title/installation_guide) to install the system, but I find this method better than the installer.