Encrypted /boot partition

marcel marcel.plouf at gmail.com
Sun Sep 11 04:54:50 UTC 2016

Le Sat, 10 Sep 2016 12:19:10 -0400,
Anton Yuzhaninov <citrin+bsd at citrin.ru> a écrit :

> On 2016-09-09 21:19, marcel wrote:
> >
> > Is it possible to install FreeBSD and encrypt the /boot partition ?
> > I did'nt find anything on that... And if not, why ?  
> AFAIK it is not yet possible.
> FreeBSD boot process has several stages:
> https://www.freebsd.org/doc/handbook/boot.html
> If x86 BIOS (non-UEFI) boot is used, first started boot0
> it located in MBR and can't be encrypted, because x86 BIOS doesn't 
> support encryption.
> boot0 code is very small and has no space to implement support of 
> encrypted partitions.
> Next stages are boot1 and boot2 located in boot area of bsd label or
> in freebsd-boot GPT partition. They also very small and all they can
> do is load /boot/loader from unencrypted partition.
> Loader itself supports geli and can load kernel from encrypted
> partition.

Ok, thanks for the good explanation !

> There was work to add geli spupport to gptboot and gptzfsboot:
> http://www.allanjude.com/bsd/AsiaBSDCon2016_geliboot.pdf
> But I don't know current status of this project.
> If your need to have internal HDD fully encrypted, your can use
> external (USB stick) media with unencrypted /boot, which will load
> kernel from internal HDD.

Yeah, I've forget this method, someone else remember me this, thanks to
you too !

> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list