Booting a GELI encrypted hard disk

Mel fbsd.questions at
Wed Oct 10 14:38:01 PDT 2007

On Wednesday 10 October 2007 23:17:01 Roland Smith wrote:
> On Wed, Oct 10, 2007 at 08:18:38PM +0200, Fabian Keil wrote:
> > Roland Smith <rsmith at> wrote:
> > > On Wed, Oct 10, 2007 at 09:04:34AM -0400, Steve Bertrand wrote:
> > > > I am voraciously attempting to get a FreeBSD system to boot from a
> > > > GELI encrypted hard disk, but am having problems.
> > >
> > > You don't need to encrypt the whole harddisk. You can encrypt separate
> > > slices. There is no need to encrypt stuff like / or /usr; what is there
> > > that needs to be kept secret?
> >
> > Encryption isn't only useful for private data,
> > it also reduces the risk of third parties replacing
> > your binaries with Trojans while your away.
> If that someone can replace binaries on a running system, you're box has
> been h4x0red and you're screwed anyway. Doubly so if your encrypted
> filesystem was mounted at the time. :-)

I think the case he's describing, is that one can remove the harddisk, mount 
it as secondary drive, replace system binaries with keylogging enabled 
binaries and then put it back. You won't notice this till you read daily 
security report in a default system.

> It's easy enough to make a list of SHA256 checksums of all binaries and
> store that on the encrypted partition, so you can check the binaries any
> time you want.

Like sysutils/tripwire. Even if the system doesn't let you boot if system 
binaries have changed, the damage is probably done already because the geli 
passphrase binary logged your passphrase.
It's questionable though, whether you should leave your computer in an 
environment where this can happen undetected and probably better solved by 
increasing real life security.


More information about the freebsd-questions mailing list