From owner-freebsd-security@FreeBSD.ORG Fri Jun 15 17:40:32 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B9771106566B for ; Fri, 15 Jun 2012 17:40:32 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 361538FC0A for ; Fri, 15 Jun 2012 17:40:32 +0000 (UTC) Received: by bkvi18 with SMTP id i18so3201816bkv.13 for ; Fri, 15 Jun 2012 10:40:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=yY/FzepZ+6j/d3gacTxQcorLq/rL2Mc4FvWrcWk+0jg=; b=lJslwFYDeyw17P6ajH2/DnpV7dSC7f/ChJvytfFBfkJi8CRAb7FvE/jaHVXGMQt30d 1x/agqrc3OkiYeebfKr64URqM371V2ynW6IWrG5/Bm8iZIxALLFEN2HcWlmCB/0ua60h i9q/OksP1XNZeELzlohKlnwDWjCXm9kZp7nAQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=yY/FzepZ+6j/d3gacTxQcorLq/rL2Mc4FvWrcWk+0jg=; b=GBdU23+GzoCOK0AgeX2ccLxE25qyL0vkjSfM6jaFTtOPgk9sJ+8phaPxVuOdsmkHp6 S5tiiXFfX29QlbH35phYFrTOKFqEnL4dN2JRNENxCbROLSmwEBDoRi6yp0Cs89tnIb2C uV6PXRJef8nyeIeviIlFwWjYDSvp2xlKxt5r+fCN+Sc6OpDvoLj7od7oYOmF62BBD6gr 3D+UiQ2vVrLvcbxlqIyyd5VdaPCpjOsxbs4hDJ2f0UgqGmpj6G9u4WXJuO0/kX7xMYTy 1s86FenCY0CMoq14XGuzbzI+mzrbuQtCNvOSADnyKZh7gxZy9tsodwZHVd6xb3ZiLTml 6exw== MIME-Version: 1.0 Received: by 10.205.134.6 with SMTP id ia6mr3302308bkc.51.1339782031031; Fri, 15 Jun 2012 10:40:31 -0700 (PDT) Sender: simon@qxnitro.org Received: by 10.205.39.199 with HTTP; Fri, 15 Jun 2012 10:40:30 -0700 (PDT) X-Originating-IP: [109.79.251.189] Received: by 10.205.39.199 with HTTP; Fri, 15 Jun 2012 10:40:30 -0700 (PDT) In-Reply-To: References: Date: Fri, 15 Jun 2012 18:40:30 +0100 X-Google-Sender-Auth: i-UtWS_wF8HWGI2cE8NUxXp7GoI Message-ID: From: "Simon L. B. Nielsen" To: Robert Simmons X-Gm-Message-State: ALoCoQm+wtLKIY91Ft+wuDqtLWAme0BsJ7u/M2/eTloGSDaum4EM/2FWiXDVx09xkoRBBui3zwK2 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Pre-boot authentication / geli-aware bootcode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2012 17:40:32 -0000 On Jun 11, 2012 1:22 AM, "Robert Simmons" wrote: > > Would it be possible to make FreeBSD's bootcode aware of geli encrypted volumes? > > I would like to enter the password and begin decryption so that the > kernel and /boot are inside the encrypted volume. Ideally the only > unencrypted area of the disk would be the gpt protected mbr and the > bootcode. > > I know that Truecrypt is able to do something like this with its > truecrypt boot loader, is something like this possible with FreeBSD > without using Truecrypt? I just booted off a USB flash key. Then your entire drive can be encrypted. -- Simon L. B. Nielsen Mobile