Date: Sun, 11 Sep 2016 06:54:03 +0200 From: marcel <marcel.plouf@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Encrypted /boot partition Message-ID: <20160911065403.2e35efad@marcel-laptop.lan> In-Reply-To: <eeeaf080-8f2e-cdfb-b59c-6f4a3e29f2c0@citrin.ru> References: <20160910031925.78927b7c@marcel-laptop.lan> <eeeaf080-8f2e-cdfb-b59c-6f4a3e29f2c0@citrin.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Sat, 10 Sep 2016 12:19:10 -0400, Anton Yuzhaninov <citrin+bsd@citrin.ru> a =C3=A9crit : > On 2016-09-09 21:19, marcel wrote: > > > > Is it possible to install FreeBSD and encrypt the /boot partition ? > > I did'nt find anything on that... And if not, why ? =20 >=20 > AFAIK it is not yet possible. >=20 > FreeBSD boot process has several stages: > https://www.freebsd.org/doc/handbook/boot.html >=20 > If x86 BIOS (non-UEFI) boot is used, first started boot0 > it located in MBR and can't be encrypted, because x86 BIOS doesn't=20 > support encryption. > boot0 code is very small and has no space to implement support of=20 > encrypted partitions. >=20 > Next stages are boot1 and boot2 located in boot area of bsd label or > in freebsd-boot GPT partition. They also very small and all they can > do is load /boot/loader from unencrypted partition. > Loader itself supports geli and can load kernel from encrypted > partition. Ok, thanks for the good explanation ! >=20 > There was work to add geli spupport to gptboot and gptzfsboot: > http://www.allanjude.com/bsd/AsiaBSDCon2016_geliboot.pdf > But I don't know current status of this project. >=20 > If your need to have internal HDD fully encrypted, your can use > external (USB stick) media with unencrypted /boot, which will load > kernel from internal HDD. Yeah, I've forget this method, someone else remember me this, thanks to you too ! > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160911065403.2e35efad>