Booting a GELI encrypted hard disk

Roland Smith rsmith at xs4all.nl
Wed Oct 10 10:54:00 PDT 2007 

On Wed, Oct 10, 2007 at 09:04:34AM -0400, Steve Bertrand wrote:
> Hi all,
> 
> I am voraciously attempting to get a FreeBSD system to boot from a GELI
> encrypted hard disk, but am having problems.

You don't need to encrypt the whole harddisk. You can encrypt separate
slices. There is no need to encrypt stuff like / or /usr; what is there
that needs to be kept secret?
 
> All of my searches lead to the same problem...GELI passphrase can not be
> entered correctly upon boot. I have tried everything I have found on the
> web (including disabling 'kbdmux' in the kernel) to no avail.

With a normal AT keyboard I can enter the passphrase without problems,
for a non-root partition.

> Does anyone have a suggestion for a workaround?

Put all the data that really needs to be encrypted on a separate slice,
and encrypt that. Leave the rest unencrypted, especially /boot. As a
rule of thumb; don't bother encrypting anything that you can just
download from the internet. :-)

Here's how it looks on my machine;

Filesystem         Size    Used   Avail Capacity  Mounted on
/dev/ar0s1a        496M    126M    330M    28%    /
devfs              1.0K    1.0K      0B   100%    /dev
/dev/ar0s1g.eli    120G     82G     28G    75%    /home
/dev/ar0s1e        496M     16K    456M     0%    /tmp
/dev/ar0s1f         19G    4.7G     13G    26%    /usr
/dev/ar0s1d        1.9G    152M    1.6G     8%    /var

As you can see only /home is encrypted because the rest doesn't hold
data worth encrypting.

If you encrypted / and /usr, you might actually make the system more
vulnerable to a known-plaintext attack, because there are a lot of files
with well-known contents there.

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20071010/f90b74ab/attachment.pgp

More information about the freebsd-questions mailing list