Full disk encryption without root partition

mhca12 mhca12 at gmail.com
Sun Dec 30 12:40:09 UTC 2012

On Sun, Dec 30, 2012 at 10:30 AM, David Demelier
<demelier.david at gmail.com> wrote:
> On 28/12/2012 12:29, mhca12 wrote:
>> On Fri, Dec 28, 2012 at 9:33 AM, C-S <c-s at c-s.li> wrote:
>>>> Date: Wed, 26 Dec 2012 22:18:40 +0100
>>>> From: mhca12 <mhca12 at gmail.com>
>>>> To: freebsd-questions at freebsd.org
>>>> Subject: Re: Full disk encryption without root partition
>>>> Message-ID:
>>>> <CAHUOmant1m446mVY85R7EpBd2Pw14gdL03fpmVPMKsrr_epfPw at mail.gmail.com>
>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>> On Wed, Dec 26, 2012 at 10:17 PM, mhca12 <mhca12 at gmail.com> wrote:
>>>>> Are there any plans or is there already support for full
>>>>> disk encryption without the need for a root partition?
>>>> I am sorry, I certainly meant to write "boot partition".
>>> Yes, it is possible to use GELI for example to do a full disk encryption
>>> and have the boot partition on a USB stick.
>> That would still keep the boot partition as unencrypted, wouldn't it?
> Yes, how would you use your key if the partition is encrypted too?

Either use a usb medium with the key on it or enter a passphrase
at an interactive prompt.

I got interested in this because of OpenBSD's recent bootloader
changes gaining the ability to avoid an unencrypted boot partition.
On Linux systems I have a similar complaint that I have to use
an initramfs (initial ramdisk with the required userland to
unlock the crypt volume). All the crypto code is in the linux kernel
and presumably also in the BSD's case but the volume header
detection/verification/unlock code seems to be relegated to
userland tools which make it impossible to have just the kernel
do the required work.

Ultimately I'm gathering the state of art in the BSDs
and Linux to get a full picture.

More information about the freebsd-questions mailing list