From owner-freebsd-geom@FreeBSD.ORG  Thu Jun 14 23:33:42 2012
Return-Path: <owner-freebsd-geom@FreeBSD.ORG>
Delivered-To: freebsd-geom@freebsd.org
Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D71121065670
	for <freebsd-geom@freebsd.org>; Thu, 14 Jun 2012 23:33:42 +0000 (UTC)
	(envelope-from rsimmons0@gmail.com)
Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com
	[209.85.212.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 8BAD18FC0A
	for <freebsd-geom@freebsd.org>; Thu, 14 Jun 2012 23:33:42 +0000 (UTC)
Received: by vbmv11 with SMTP id v11so1790802vbm.13
	for <freebsd-geom@freebsd.org>; Thu, 14 Jun 2012 16:33:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:date:message-id:subject:from:to:content-type;
	bh=1pQ/sVA8wowM2H0AZje1UB+Gqup0D+wiUci3AFEY6C4=;
	b=AAXY6C0JPgDOOCCOojdxK9X0O717gnOL9c1FaTKSRGOfrtXDZBHjfzgT4jHtwsApFw
	hXMZAMVBz90Fm1qHyJCy4+aCRbtfSZhzjz7QZxnxKaQYApo3lTiM3OHwQuxzO5UPAUSr
	JzvkNeI4BURFZjATUstE8enzL8f3aJOHSHrx+i0IS9FWs1QVSb8cMA/qwfCl16sN4lyD
	W6/Hesgi4KjOuqVSB0oKnFrrT2KaQpNl0XCxbEgupK98Tne7ZdFkCLzm5CCyVA/8Lp7c
	EWaAKNF7CUNE3ht9j1m+OTr1Fna1dMldLox6drulPveA2PnnHeNZuk3egXR7nSVEdCpA
	TrUg==
MIME-Version: 1.0
Received: by 10.52.176.232 with SMTP id cl8mr1692736vdc.115.1339716816509;
	Thu, 14 Jun 2012 16:33:36 -0700 (PDT)
Received: by 10.52.113.97 with HTTP; Thu, 14 Jun 2012 16:33:36 -0700 (PDT)
Date: Thu, 14 Jun 2012 19:33:36 -0400
Message-ID: <CA+QLa9ChmAL=qr00oV=hW=j0GDrS3rQWyNaVH=f3cszS+m1GAg@mail.gmail.com>
From: Robert Simmons <rsimmons0@gmail.com>
To: freebsd-geom@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: Pre-boot authentication / geli-aware bootcode
X-BeenThere: freebsd-geom@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: GEOM-specific discussions and implementations
	<freebsd-geom.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
	<mailto:freebsd-geom-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-geom>
List-Post: <mailto:freebsd-geom@freebsd.org>
List-Help: <mailto:freebsd-geom-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
	<mailto:freebsd-geom-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2012 23:33:42 -0000

I posted this question to security, but all I got back was the sound
of crickets...

Would it be possible to make FreeBSD's bootcode aware of geli encrypted volumes?

I would like to enter the password and begin decryption so that the
kernel and /boot are inside the encrypted volume.  Ideally the only
unencrypted area of the disk would be the gpt protected mbr and the
bootcode.

I know that Truecrypt is able to do something like this with its
truecrypt boot loader, is something like this possible with FreeBSD
without using Truecrypt?