Encrypted /boot partition
marcel.plouf at gmail.com
Sun Sep 11 04:54:50 UTC 2016
Le Sat, 10 Sep 2016 12:19:10 -0400,
Anton Yuzhaninov <citrin+bsd at citrin.ru> a écrit :
> On 2016-09-09 21:19, marcel wrote:
> > Is it possible to install FreeBSD and encrypt the /boot partition ?
> > I did'nt find anything on that... And if not, why ?
> AFAIK it is not yet possible.
> FreeBSD boot process has several stages:
> If x86 BIOS (non-UEFI) boot is used, first started boot0
> it located in MBR and can't be encrypted, because x86 BIOS doesn't
> support encryption.
> boot0 code is very small and has no space to implement support of
> encrypted partitions.
> Next stages are boot1 and boot2 located in boot area of bsd label or
> in freebsd-boot GPT partition. They also very small and all they can
> do is load /boot/loader from unencrypted partition.
> Loader itself supports geli and can load kernel from encrypted
Ok, thanks for the good explanation !
> There was work to add geli spupport to gptboot and gptzfsboot:
> But I don't know current status of this project.
> If your need to have internal HDD fully encrypted, your can use
> external (USB stick) media with unencrypted /boot, which will load
> kernel from internal HDD.
Yeah, I've forget this method, someone else remember me this, thanks to
you too !
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions