From owner-freebsd-security@FreeBSD.ORG Mon Jun 11 00:21:55 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8535E106564A for ; Mon, 11 Jun 2012 00:21:55 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3C80B8FC0A for ; Mon, 11 Jun 2012 00:21:55 +0000 (UTC) Received: by vcbfy7 with SMTP id fy7so2220545vcb.13 for ; Sun, 10 Jun 2012 17:21:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=WovgoPdYPkxDmTy8L6C4tcqjMAJtktdNTz3otWy0mcA=; b=HiSIscgAD7uB3a15bfDcL56XNTTPS7Ox4dXVKJLSifxLhBGYHOAwxp5tqIDIpDbwD1 fbb5uW5yg9i8Am8K6c1IUffABMt+V+rWpLVXuwSnoH+tU2ASmJ3JNM6aPA4bGQSZAcmS TzfdUWsHnZrqVng2UerFxImDZDEWGPsYY4jl+4LBd4yD0lrYbBqUd4MtKVo53ODJiTGj +g2gPaie+dDYWVTyYneMbgJBUcuY8E2F+pauE9qOQAocRvee/FXAG1TfHToSJV4l2hZ9 2E0ROh6LP88DfZaPGNehCHqJXtiXFP64hRWTEkIs4WRZJyakgW54CgIq829gvkvoDBZf nn6A== MIME-Version: 1.0 Received: by 10.52.89.35 with SMTP id bl3mr2920108vdb.106.1339374114387; Sun, 10 Jun 2012 17:21:54 -0700 (PDT) Received: by 10.52.113.97 with HTTP; Sun, 10 Jun 2012 17:21:54 -0700 (PDT) Date: Sun, 10 Jun 2012 20:21:54 -0400 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Pre-boot authentication / geli-aware bootcode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2012 00:21:55 -0000 Would it be possible to make FreeBSD's bootcode aware of geli encrypted volumes? I would like to enter the password and begin decryption so that the kernel and /boot are inside the encrypted volume. Ideally the only unencrypted area of the disk would be the gpt protected mbr and the bootcode. I know that Truecrypt is able to do something like this with its truecrypt boot loader, is something like this possible with FreeBSD without using Truecrypt?