Date: Sat, 10 Sep 2016 12:19:10 -0400 From: Anton Yuzhaninov <citrin+bsd@citrin.ru> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Encrypted /boot partition Message-ID: <eeeaf080-8f2e-cdfb-b59c-6f4a3e29f2c0@citrin.ru> In-Reply-To: <20160910031925.78927b7c@marcel-laptop.lan> References: <20160910031925.78927b7c@marcel-laptop.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2016-09-09 21:19, marcel wrote: > > Is it possible to install FreeBSD and encrypt the /boot partition ? I > did'nt find anything on that... And if not, why ? AFAIK it is not yet possible. FreeBSD boot process has several stages: https://www.freebsd.org/doc/handbook/boot.html If x86 BIOS (non-UEFI) boot is used, first started boot0 it located in MBR and can't be encrypted, because x86 BIOS doesn't support encryption. boot0 code is very small and has no space to implement support of encrypted partitions. Next stages are boot1 and boot2 located in boot area of bsd label or in freebsd-boot GPT partition. They also very small and all they can do is load /boot/loader from unencrypted partition. Loader itself supports geli and can load kernel from encrypted partition. There was work to add geli spupport to gptboot and gptzfsboot: http://www.allanjude.com/bsd/AsiaBSDCon2016_geliboot.pdf But I don't know current status of this project. If your need to have internal HDD fully encrypted, your can use external (USB stick) media with unencrypted /boot, which will load kernel from internal HDD.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?eeeaf080-8f2e-cdfb-b59c-6f4a3e29f2c0>