From owner-freebsd-questions@FreeBSD.ORG Sun Dec 30 12:40:09 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D7F85D71 for ; Sun, 30 Dec 2012 12:40:09 +0000 (UTC) (envelope-from mhca12@gmail.com) Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com [209.85.214.171]) by mx1.freebsd.org (Postfix) with ESMTP id 900B28FC0C for ; Sun, 30 Dec 2012 12:40:09 +0000 (UTC) Received: by mail-ob0-f171.google.com with SMTP id dn14so10910900obc.30 for ; Sun, 30 Dec 2012 04:40:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=u5bEnmIyxJg8Wz4D7JCZkY0SNWxAyx03avvcH1ba4TY=; b=YQuTO/Lwx5ZZfCGDrDMGeqf9LABABIXbIhmUUgBIIVfcvJ6AnhnBQTgrHBeUgVYpc3 1S/gRdBSvgB/0LHZU5e5yl9UrO/FPmEbSo/+M9BnSXvOpxcnk1Ywu7GKP1yOV82i7u2k Du62/07upqr1bJB0rISSmM+hpNu+C8Mmnur8XYGxDNE0WLw/Jt2QH4/x7AVBXaTdrP6Q 2S9FH0GmELFSMSJQSavFu4hOwM1Er5WNldiVrZfg9nHkV/pgANkgnxdllGQtq7Gj4OQU SuYTCb+DKct5kqRpluuBsRjVX6UflbUFCMa+8CS1blZEDJm5Wfui1OnadoTUsHjIKrZf T3uQ== MIME-Version: 1.0 Received: by 10.182.177.72 with SMTP id co8mr32018937obc.53.1356871202936; Sun, 30 Dec 2012 04:40:02 -0800 (PST) Received: by 10.76.34.73 with HTTP; Sun, 30 Dec 2012 04:40:02 -0800 (PST) In-Reply-To: <50E009D3.5080202@gmail.com> References: <9295e7e163201a1fa49bf67543c7304d.squirrel@webmail.319.ch> <50E009D3.5080202@gmail.com> Date: Sun, 30 Dec 2012 13:40:02 +0100 Message-ID: Subject: Re: Full disk encryption without root partition From: mhca12 To: David Demelier Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2012 12:40:09 -0000 On Sun, Dec 30, 2012 at 10:30 AM, David Demelier wrote: > On 28/12/2012 12:29, mhca12 wrote: >> >> On Fri, Dec 28, 2012 at 9:33 AM, C-S wrote: >>> >>> >>>> Date: Wed, 26 Dec 2012 22:18:40 +0100 >>>> From: mhca12 >>>> To: freebsd-questions@freebsd.org >>>> Subject: Re: Full disk encryption without root partition >>>> Message-ID: >>>> >>>> >>>> Content-Type: text/plain; charset=ISO-8859-1 >>>> >>>> On Wed, Dec 26, 2012 at 10:17 PM, mhca12 wrote: >>>>> >>>>> Are there any plans or is there already support for full >>>>> disk encryption without the need for a root partition? >>>> >>>> >>>> I am sorry, I certainly meant to write "boot partition". >>>> >>> >>> >>> Yes, it is possible to use GELI for example to do a full disk encryption >>> and have the boot partition on a USB stick. >> >> >> That would still keep the boot partition as unencrypted, wouldn't it? > > > Yes, how would you use your key if the partition is encrypted too? Either use a usb medium with the key on it or enter a passphrase at an interactive prompt. I got interested in this because of OpenBSD's recent bootloader changes gaining the ability to avoid an unencrypted boot partition. On Linux systems I have a similar complaint that I have to use an initramfs (initial ramdisk with the required userland to unlock the crypt volume). All the crypto code is in the linux kernel and presumably also in the BSD's case but the volume header detection/verification/unlock code seems to be relegated to userland tools which make it impossible to have just the kernel do the required work. Ultimately I'm gathering the state of art in the BSDs and Linux to get a full picture.