Can't boot from encrypted partition
petr.hejl at freedev.cz
Thu Mar 15 23:20:59 UTC 2018
OK, I experimented a little and now I can reply to myself :).
The EFI bootloader (meaning the BOOTX64.EFI) is not yet capable of
unlocking an encrypted device. Either that or the function is not
I went through the steps I described earlier while temporarily switching
my motherboard to CSM mode. The only other difference being:
|- /dev/ada0p1 (freebsd-boot, 128K)
and a bootcode written to the device.
The bootloader asked for the password, unlocked the second partition,
loaded the loader and the machine booted OK. So it's definitely the EFI
One other thing is weird, though. The geli manpage states:
geli init [-bgPTv] ...
However, both -b AND -g options can and probably even have to be given
at the same time. I created the geli container with '-g' only and the
boot process crashed when looking for the ZFS pool "root", stating there
is none. After adding the '-b' via
geli configure -b /dev/ada0p2
it works OK. The bootloader gives some strange error (didn't catch it,
sorry) but succeeds in unlocking the partition anyway. So I'm guessing
it should probably be corrected to
geli init [-bPTv][-g] ...
Does anybody know whether it works for EFI in 11.1-STABLE?
> Hello, FreeBSD community.
> I need help with booting from an encrypted partition. Until now, my EFI
> machine booted from an unencrypted ZFS, while the rest of the system
> resided on an encrypted ZFS. The layout was like this:
> |- /dev/ada0p1 (efi, 800k)
> |- /dev/ada0p2 (freebsd-zfs, 1G)
> |- /dev/ada0p3 (freebsd-zfs, geli-encrypted, 931G)
> That worked OK. Since FreeBSD >= 11.0 should be able to boot an entirely
> encrypted system (let alone the EFI loader, of course), I'd like to get
> to that point (installing 11.1-RELEASE on amd64). So I create my layout
> like this:
> gpart create -s gpt /dev/ada0
> gpart add -t efi -l efi -s 800k /dev/ada0
> gpart add -t freebsd-zfs -l system /dev/ada0
> dd if=/boot/boot1.efifat of=/dev/ada0p1
> geli init -g -l 256 -s 4096 /dev/ada0p2
> So the only difference is that there is no separate partition for /boot
> and the ZFS partition is encrypted with 'geli init -g' rather than 'geli
> init -b'.
> The new layout is then:
> |- /dev/ada0p1 (efi, 800k)
> |- /dev/ada0p2 (freebsd-zfs, geli-encrypted, 931G)[/CODE]
> After that, I install the system as usual, in the way it's always worked.
> geli manpage says:
> " ...
> -g Enable booting from this encrypted root
> filesystem. The boot loader prompts for the
> passphrase and loads loader from the
> encrypted partition.
> The problem is, that it doesn't. When the EFI loader starts, it says it
> can't find any UFS or ZFS partitions, thus no /boot/loader.efi and ends
> panic: No bootable partitions found
> I have no idea what's wrong.
> Thank you for any advice.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 862 bytes
Desc: OpenPGP digital signature
More information about the freebsd-questions