From owner-freebsd-questions@freebsd.org Sat Sep 10 16:19:30 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61A82BD43CC for ; Sat, 10 Sep 2016 16:19:30 +0000 (UTC) (envelope-from citrin+bsd@citrin.ru) Received: from hz.citrin.ru (hz.citrin.ru [88.198.212.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 27678891 for ; Sat, 10 Sep 2016 16:19:29 +0000 (UTC) (envelope-from citrin+bsd@citrin.ru) Received: from [192.168.0.144] (c-24-60-168-172.hsd1.ct.comcast.net [24.60.168.172]) (Authenticated sender: citrin@citrin.ru) by hz.citrin.ru (Postfix) with ESMTPSA id CFB902869EA for ; Sat, 10 Sep 2016 16:19:20 +0000 (UTC) Subject: Re: Encrypted /boot partition To: "freebsd-questions@freebsd.org" References: <20160910031925.78927b7c@marcel-laptop.lan> From: Anton Yuzhaninov Message-ID: Date: Sat, 10 Sep 2016 12:19:10 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160910031925.78927b7c@marcel-laptop.lan> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrin.ru; s=s0; t=1473524361; bh=qFiUtok/cNcyL14Xcac/YDX9sA9zAKT2Yxbezu+ITZE=; h=Subject:To:References:From:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=b3WES5b7B+Asm+tqBuJK6gma8tMLAa5uDBZOdgQPqMjmVxAtf/Iqh4UEGUNcqVdubx676bCZDBJovw2aWoHSHlCBxF8F5y00+OEvb8HIOqKVUCEkg7s342+nB9O1H7Uebml6eRyYqicOjkBIBYWGCoN163bfuUCAqVIR/xb0EMU= X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2016 16:19:30 -0000 On 2016-09-09 21:19, marcel wrote: > > Is it possible to install FreeBSD and encrypt the /boot partition ? I > did'nt find anything on that... And if not, why ? AFAIK it is not yet possible. FreeBSD boot process has several stages: https://www.freebsd.org/doc/handbook/boot.html If x86 BIOS (non-UEFI) boot is used, first started boot0 it located in MBR and can't be encrypted, because x86 BIOS doesn't support encryption. boot0 code is very small and has no space to implement support of encrypted partitions. Next stages are boot1 and boot2 located in boot area of bsd label or in freebsd-boot GPT partition. They also very small and all they can do is load /boot/loader from unencrypted partition. Loader itself supports geli and can load kernel from encrypted partition. There was work to add geli spupport to gptboot and gptzfsboot: http://www.allanjude.com/bsd/AsiaBSDCon2016_geliboot.pdf But I don't know current status of this project. If your need to have internal HDD fully encrypted, your can use external (USB stick) media with unencrypted /boot, which will load kernel from internal HDD.