Encrypted /boot partition
Anton Yuzhaninov
citrin+bsd at citrin.ru
Sat Sep 10 16:19:30 UTC 2016
On 2016-09-09 21:19, marcel wrote:
>
> Is it possible to install FreeBSD and encrypt the /boot partition ? I
> did'nt find anything on that... And if not, why ?
AFAIK it is not yet possible.
FreeBSD boot process has several stages:
https://www.freebsd.org/doc/handbook/boot.html
If x86 BIOS (non-UEFI) boot is used, first started boot0
it located in MBR and can't be encrypted, because x86 BIOS doesn't
support encryption.
boot0 code is very small and has no space to implement support of
encrypted partitions.
Next stages are boot1 and boot2 located in boot area of bsd label or in
freebsd-boot GPT partition. They also very small and all they can do is
load /boot/loader from unencrypted partition.
Loader itself supports geli and can load kernel from encrypted partition.
There was work to add geli spupport to gptboot and gptzfsboot:
http://www.allanjude.com/bsd/AsiaBSDCon2016_geliboot.pdf
But I don't know current status of this project.
If your need to have internal HDD fully encrypted, your can use external
(USB stick) media with unencrypted /boot, which will load kernel from
internal HDD.
More information about the freebsd-questions
mailing list