Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 11 Sep 2016 06:54:03 +0200
From:      marcel <marcel.plouf@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Encrypted /boot partition
Message-ID:  <20160911065403.2e35efad@marcel-laptop.lan>
In-Reply-To: <eeeaf080-8f2e-cdfb-b59c-6f4a3e29f2c0@citrin.ru>
References:  <20160910031925.78927b7c@marcel-laptop.lan> <eeeaf080-8f2e-cdfb-b59c-6f4a3e29f2c0@citrin.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
Le Sat, 10 Sep 2016 12:19:10 -0400,
Anton Yuzhaninov <citrin+bsd@citrin.ru> a =C3=A9crit :

> On 2016-09-09 21:19, marcel wrote:
> >
> > Is it possible to install FreeBSD and encrypt the /boot partition ?
> > I did'nt find anything on that... And if not, why ? =20
>=20
> AFAIK it is not yet possible.
>=20
> FreeBSD boot process has several stages:
> https://www.freebsd.org/doc/handbook/boot.html
>=20
> If x86 BIOS (non-UEFI) boot is used, first started boot0
> it located in MBR and can't be encrypted, because x86 BIOS doesn't=20
> support encryption.
> boot0 code is very small and has no space to implement support of=20
> encrypted partitions.
>=20
> Next stages are boot1 and boot2 located in boot area of bsd label or
> in freebsd-boot GPT partition. They also very small and all they can
> do is load /boot/loader from unencrypted partition.
> Loader itself supports geli and can load kernel from encrypted
> partition.

Ok, thanks for the good explanation !

>=20
> There was work to add geli spupport to gptboot and gptzfsboot:
> http://www.allanjude.com/bsd/AsiaBSDCon2016_geliboot.pdf
> But I don't know current status of this project.
>=20
> If your need to have internal HDD fully encrypted, your can use
> external (USB stick) media with unencrypted /boot, which will load
> kernel from internal HDD.

Yeah, I've forget this method, someone else remember me this, thanks to
you too !

> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160911065403.2e35efad>