Date: Sun, 30 Dec 2012 13:40:02 +0100 From: mhca12 <mhca12@gmail.com> To: David Demelier <demelier.david@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: <CAHUOmamWM=Z3QNJRSKqZyOG8kKmFDRzUT1NqbV-uigwQ=ZuPMQ@mail.gmail.com> In-Reply-To: <50E009D3.5080202@gmail.com> References: <mailman.55.1356609602.77238.freebsd-questions@freebsd.org> <9295e7e163201a1fa49bf67543c7304d.squirrel@webmail.319.ch> <CAHUOmanb=xJx7mptkxsC72tvej-Jr2LqWFwT=UEdXJoNHu-Eaw@mail.gmail.com> <50E009D3.5080202@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 30, 2012 at 10:30 AM, David Demelier <demelier.david@gmail.com> wrote: > On 28/12/2012 12:29, mhca12 wrote: >> >> On Fri, Dec 28, 2012 at 9:33 AM, C-S <c-s@c-s.li> wrote: >>> >>> >>>> Date: Wed, 26 Dec 2012 22:18:40 +0100 >>>> From: mhca12 <mhca12@gmail.com> >>>> To: freebsd-questions@freebsd.org >>>> Subject: Re: Full disk encryption without root partition >>>> Message-ID: >>>> >>>> <CAHUOmant1m446mVY85R7EpBd2Pw14gdL03fpmVPMKsrr_epfPw@mail.gmail.com> >>>> Content-Type: text/plain; charset=ISO-8859-1 >>>> >>>> On Wed, Dec 26, 2012 at 10:17 PM, mhca12 <mhca12@gmail.com> wrote: >>>>> >>>>> Are there any plans or is there already support for full >>>>> disk encryption without the need for a root partition? >>>> >>>> >>>> I am sorry, I certainly meant to write "boot partition". >>>> >>> >>> >>> Yes, it is possible to use GELI for example to do a full disk encryption >>> and have the boot partition on a USB stick. >> >> >> That would still keep the boot partition as unencrypted, wouldn't it? > > > Yes, how would you use your key if the partition is encrypted too? Either use a usb medium with the key on it or enter a passphrase at an interactive prompt. I got interested in this because of OpenBSD's recent bootloader changes gaining the ability to avoid an unencrypted boot partition. On Linux systems I have a similar complaint that I have to use an initramfs (initial ramdisk with the required userland to unlock the crypt volume). All the crypto code is in the linux kernel and presumably also in the BSD's case but the volume header detection/verification/unlock code seems to be relegated to userland tools which make it impossible to have just the kernel do the required work. Ultimately I'm gathering the state of art in the BSDs and Linux to get a full picture.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHUOmamWM=Z3QNJRSKqZyOG8kKmFDRzUT1NqbV-uigwQ=ZuPMQ>