Booting a GELI encrypted hard disk

Pawel Jakub Dawidek pjd at
Wed Oct 24 10:40:29 PDT 2007

On Thu, Oct 25, 2007 at 12:46:53AM +0800, Daniel Marsh wrote:
> Even if all data on a drive is encrypted, the partition table is not.
> Software based disk encryption works on partitions.

That's not true. One can configure full disk encryption using GELI. To
do it you need to have a small USB pen-drive or CD-ROM with /boot/
directory, but that's all you need. Then you actually boot from your
unencrypted pen-drive, but mount all file systems from encrypted disk.
The pen-drive is not needed for your system to run and you can be easly
take it with you, which is not always the case for your laptop.

> How far into the boot sequence do you get before your system crashes without
> the key present?
> I would assume as far as reading the / partition to get the kernel etc...
> It would have read the partition table and the boot loader, known which
> partition was the "active" partition and tried booting it.
> Now, to identify what OS this disk has on it you can check the partition
> table and see what "type" has been set for each slice/partition.
> You will be able to see that there is a BSD style slice on the disk just by
> running `fdisk /dev/mystolendiskdevice`
> You now know it's a BSD OS, you could then make a guess as to what version
> of BSD by the type of machine it was taken from, based on what hardware is
> supported by each BSD.
> I believe their slices and layout are identical but the file systems differ.
> The person with your disk could then start trying to determine what kind of
> disk encryption is in place.

That's all irrelevant. Security of GELI (or any sane cryptographic
system) doesn't depend on secrecy of algorithms used.

Pawel Jakub Dawidek             
pjd at                 
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list