Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 10 Sep 2016 12:19:10 -0400
From:      Anton Yuzhaninov <citrin+bsd@citrin.ru>
To:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: Encrypted /boot partition
Message-ID:  <eeeaf080-8f2e-cdfb-b59c-6f4a3e29f2c0@citrin.ru>
In-Reply-To: <20160910031925.78927b7c@marcel-laptop.lan>
References:  <20160910031925.78927b7c@marcel-laptop.lan>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 2016-09-09 21:19, marcel wrote:
>
> Is it possible to install FreeBSD and encrypt the /boot partition ? I
> did'nt find anything on that... And if not, why ?

AFAIK it is not yet possible.

FreeBSD boot process has several stages:
https://www.freebsd.org/doc/handbook/boot.html

If x86 BIOS (non-UEFI) boot is used, first started boot0
it located in MBR and can't be encrypted, because x86 BIOS doesn't 
support encryption.
boot0 code is very small and has no space to implement support of 
encrypted partitions.

Next stages are boot1 and boot2 located in boot area of bsd label or in 
freebsd-boot GPT partition. They also very small and all they can do is 
load /boot/loader from unencrypted partition.
Loader itself supports geli and can load kernel from encrypted partition.

There was work to add geli spupport to gptboot and gptzfsboot:
http://www.allanjude.com/bsd/AsiaBSDCon2016_geliboot.pdf
But I don't know current status of this project.

If your need to have internal HDD fully encrypted, your can use external 
(USB stick) media with unencrypted /boot, which will load kernel from 
internal HDD.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?eeeaf080-8f2e-cdfb-b59c-6f4a3e29f2c0>