Booting a GELI encrypted hard disk

Oliver Fromme olli at
Thu Oct 25 06:53:44 PDT 2007

Hi Pawel,

Pawel Jakub Dawidek wrote:
 > Daniel Marsh wrote:
 > > Even if all data on a drive is encrypted, the partition table is not.
 > > Software based disk encryption works on partitions.
 > That's not true. One can configure full disk encryption using GELI. To
 > do it you need to have a small USB pen-drive or CD-ROM with /boot/
 > directory, but that's all you need. Then you actually boot from your
 > unencrypted pen-drive, but mount all file systems from encrypted disk.

So far, so good ...

 > The pen-drive is not needed for your system to run and you can be easly
 > take it with you, which is not always the case for your laptop.

Are you saying that the USB pen-drive can be removed while
the system is running (after it has booted)?  I remember
that it was impossible in the past to remove the root vnode
(which in this case would be the /boot file system from the
pen-drive).  Did that change recently?  Or is there a way
to change the system's root vnode from the pen-drive to the
root file system on the encrypted disk?  If so, then how?

I'm just curious.  The ability to change the root vnode
would open several interesting possibilities, beside fully
encrypted disks.

Best regards

Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:

"One of the main causes of the fall of the Roman Empire was that,
lacking zero, they had no way to indicate successful termination
of their C programs."
        -- Robert Firth

More information about the freebsd-questions mailing list