Booting a GELI encrypted hard disk

Steve Bertrand iaccounts at
Thu Oct 25 08:56:48 PDT 2007

Pawel Jakub Dawidek wrote:
> On Thu, Oct 25, 2007 at 12:46:53AM +0800, Daniel Marsh wrote:
>> Even if all data on a drive is encrypted, the partition table is not.
>> Software based disk encryption works on partitions.
> That's not true. One can configure full disk encryption using GELI. To
> do it you need to have a small USB pen-drive or CD-ROM with /boot/
> directory, but that's all you need. Then you actually boot from your
> unencrypted pen-drive, but mount all file systems from encrypted disk.
> The pen-drive is not needed for your system to run and you can be easly
> take it with you, which is not always the case for your laptop.

This is EXACTLY what I have now. Soon as the machine is booted, my thumb
disk comes with me.

The ONLY information on the thumb drive is /boot, a directory /keys and
an /etc that has only an fstab (to mount the .eli partitions from the
hard disk) and a loader.conf file to locate the keys.

This was originally my objective and have got it in place. Now the
machine is nearly upgraded to 7.0.


More information about the freebsd-questions mailing list