Booting a GELI encrypted hard disk

Roland Smith rsmith at
Wed Oct 10 14:09:17 PDT 2007

On Wed, Oct 10, 2007 at 02:34:16PM -0400, Steve Bertrand wrote:
> > Put all the data that really needs to be encrypted on a separate slice,
> > and encrypt that. Leave the rest unencrypted, especially /boot. As a
> > rule of thumb; don't bother encrypting anything that you can just
> > download from the internet. :-)
> Fair enough, this makes sense. Thank you.
> > As you can see only /home is encrypted because the rest doesn't hold
> > data worth encrypting.
> Well, on mine it will.

I was talking about my system. Yours will of course be different. :-)
> > If you encrypted / and /usr, you might actually make the system more
> > vulnerable to a known-plaintext attack, because there are a lot of files
> > with well-known contents there.
> I can get away with not having / encrypted, but I need /var encrypted
> for databases and logs etc, /tmp so any temporary files are secured and
> the swap file (swap very rarely gets used).

You can even encrypt /tmp with a one-time key (see 'geli onetime').
Also have a look at the geli_* variables in /etc/defaults/rc.conf.

> So, I will test it as you suggested, however, would it be possible to
> still house my key on a removable USB stick, and after the slices are
> mounted into the file system successfully to then unmount and remove the
> USB drive and have the box remain in operation, or does the key need to
> be accessed throughout all disk reads/writes?

It only needs to be present during creation of the GELI devices (geli
attach). The rc scripts know they have to load GELI and attach the
devices if they see an .eli device in /etc/fstab. Geli will ask for the
passphrase(s) during boot-up if you're using them. You can specify which
key-file to use in the geli_[devicename]_flags variable in /etc/rc.conf

However using a USB device presents it's own problems. If you plug-in a
USB stick there's no telling which device node it ends up with,
depending on how many other USB devices are on the bus. To make device
recognition easier, you should use a GEOM label on the USB stick, so
you'll know which /dev/label/* device node it gets. And you'd probably
have to hack an rc script to mount the USB stick _before_ the system
tries to attach the GELI device(s).

> Essentially, I'd like it so that if the box reboots while I am gone, or
> if I want to reboot it remotely there is theoretically no way for
> someone at the console to re-mount the encrypted slices?

Well, if you don't know the passphrase during boot-up (you get 3 tries),
the geli devices will not be created and mounting the slices depending
on them will fail. so you don't _need_ a keyfile for that.

And remember that this USB stick is another thing you have to back-up
and store in a safe place. It would be bad if you lost your data because
your USB stick died or got lost.

[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list