From owner-freebsd-security@FreeBSD.ORG  Fri Jun 15 15:05:50 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6AA3110657AA
	for <freebsd-security@freebsd.org>;
	Fri, 15 Jun 2012 15:05:50 +0000 (UTC)
	(envelope-from piechota@argolis.org)
Received: from vms173005pub.verizon.net (vms173005pub.verizon.net
	[206.46.173.5]) by mx1.freebsd.org (Postfix) with ESMTP id 48FBB8FC14
	for <freebsd-security@freebsd.org>;
	Fri, 15 Jun 2012 15:05:50 +0000 (UTC)
Received: from [192.168.1.5] ([unknown] [98.114.37.117])
	by vms173005.mailsrvcs.net
	(Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16
	2009)) with ESMTPA id <0M5N000FRWFVRZH0@vms173005.mailsrvcs.net> for
	freebsd-security@freebsd.org; Fri, 15 Jun 2012 09:04:55 -0500 (CDT)
Message-id: <4FDB40FB.2090806@argolis.org>
Date: Fri, 15 Jun 2012 10:04:43 -0400
From: Matt Piechota <piechota@argolis.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430
	Thunderbird/12.0.1
MIME-version: 1.0
To: freebsd-security@freebsd.org
References: <CA+QLa9Aec82k24YL46dU3zgbozTa8Qmis+n14JpdZAemnaFZfw@mail.gmail.com>
	<CAN8NK9Entdnp=rmjZ+hG4L7A7UrJyqj+PM0_oMv4Pfw--53H+Q@mail.gmail.com>
In-reply-to: <CAN8NK9Entdnp=rmjZ+hG4L7A7UrJyqj+PM0_oMv4Pfw--53H+Q@mail.gmail.com>
Content-type: text/plain; charset=UTF-8; format=flowed
Content-transfer-encoding: 7bit
Subject: Re: Pre-boot authentication / geli-aware bootcode
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 15:05:50 -0000

On 06/15/2012 09:39 AM, Aaron Zauner wrote:
> AFAIK you'd need something similary to initrd
> (http://en.wikipedia.org/wiki/Initrd), which, to the best of my
> knowledge, does not currently exist in freebsd.
>

Even that leaves the initrd (and /boot) unencrypted (as in Linux). The 
Windowsy ones I've seen appear to load the decryption driver right out 
of the MBR and work from there. I haven't done detailed investigation on 
it, but I think TrueCrypt does work this way and is FOSS (although with 
their own license that requires attribution and whatnot).
http://www.truecrypt.org/legal/license

-- 
Matt Piechota