# "Real" Full Disk Encryption like in PC-BSD: Is it possible



## LuciferSam86 (Jul 18, 2014)

Hello everybody.

Since with PC-BSD it seems I have some problems (already open a ticket on their forums) I wish to try with FREEBSD 10.0-RELEASE the following thing. is it possible to encrypt the disk (even with /boot partition) with the ZFS+GPT scheme+GELI? From what *I* have read GRUB asks the password to decrypt the ZFS pool. Is there a guide to achieve the same thing on FreeBSD, or is it just useless to encrypt the /boot partition?

PS: The problem I have is GRUB that does not show up, and leaving the computer frozen (but I think, that the PC-BSD community should be able to answer this problem)


----------



## fonz (Jul 18, 2014)

*Re: "Real" Full Disk Encryption like in PC-BSD: Is it possib*

For starters please note that, although probably not technically impossible, a separate /boot filesystem doesn't make a whole lot of sense with FreeBSD. A separate /: yes. A separate /boot: no. That's more of a Linux thing.

But second - and more to the point - as far as I know GELI still requires some unencrypted _root_ partition to boot from. It doesn't have to be the actual system's root partition; a temporary root partition that is only being used to boot from will do just fine. In fact, a typical setup involves a root partition on a USB flash drive that can be removed after the system has booted (so there would be no plaintext on the harddrive at all). But in any case, to reiterate, last time I checked it was still necessary to have some plaintext root partition to boot from. That partition can contain a line in /boot/loader.conf that looks like this:
	
	



```
vfs.root.mountfrom="ufs:/dev/actual_root_partition"
```
 where /dev/actual_root_partition is of course the system's actual real root partition. Still, as far as I know you do need something unencrypted to boot from, whether it's on a removable device (USB flash drive, SD card, etc.) or not.


----------



## kpa (Jul 18, 2014)

*Re: "Real" Full Disk Encryption like in PC-BSD: Is it possib*

Yes, there is absolutely no way to work around the requirement that the initial boot device must be unencrypted so that the kernel and other files required for booting can be loaded. The bootcode and the FreeBSD loader(8) are not GELI aware (in other words, can not decrypt the GELI encrypted data) and can not be made so because they run in what is known as "real mode" and not in "protected" mode that is not available until the kernel starts running.

https://en.wikipedia.org/wiki/Real_mode

https://en.wikipedia.org/wiki/Protected_mode

The solution that uses GRUB is essentially the same. There's a small unencrypted slice at the beginning of the disk for GRUB and the kernel and other needed files and GRUB implements itself the loading of the FreeBSD kernel just like loader(8) does and asks for the GELI password before launching the kernel. It's still not a full disk encryption because the GRUB slice has to be unencrypted.


----------



## asteriskRoss (Jul 18, 2014)

*Re: "Real" Full Disk Encryption like in PC-BSD: Is it possib*



			
				fonz said:
			
		

> For starters please note that, although probably not technically impossible, a separate /boot filesystem doesn't make a whole lot of sense with FreeBSD.


I install FreeBSD on my laptops with a separate (unencrypted) filesystem for /boot.  The advantage is that there is minimal chance of leaving sensitive information on the unencrypted portion of the disk; stashing things in /root and knowing that they are encrypted can be useful.  The disadvantage is that if you can't decrypt the GELI provider, there is no opportunity for single user mode, as the necessary files are encrypted.



			
				fonz said:
			
		

> In fact, a typical setup involves a root partition on a USB flash drive that can be removed after the system has booted (so there would be no plaintext on the harddrive at all).


If you want a fully encrypted hard disk then putting the /boot files on a removable disk is the way to go.  A laptop can be bulky to carry everywhere whereas a memory stick can easily come with you.  I left my unencrypted /boot on the hard disk since I decided that I'm concerned about laptop loss or theft, not attention from the kind of attacker who is capable of maliciously and surreptitiously modifying the FreeBSD bootloader or kernel.


----------



## Kiiski (Jul 19, 2014)

*Re: "Real" Full Disk Encryption like in PC-BSD: Is it possib*

You can find a tutorial about this at BSDNow: http://www.bsdnow.tv/tutorials/fde


----------



## pkubaj (Jul 19, 2014)

*Re: "Real" Full Disk Encryption like in PC-BSD: Is it possib*

Of course it's possible to encrypt the whole disk - just not with FreeBSD. OpenBSD recently added such a feature and, I believe, it's the only OS now that can do it. If you need such a feature, go for OpenBSD.


----------



## kpa (Jul 19, 2014)

*Re: "Real" Full Disk Encryption like in PC-BSD: Is it possib*



			
				pkubaj said:
			
		

> Of course it's possible to encrypt the whole disk - just not with FreeBSD. OpenBSD recently added such feature and, I believe, it's the only OS now that can do it. If you need such a feature, go for OpenBSD.



Whatever they are doing can not be 100% disk encryption for the reasons I stated above. The BIOS or UEFI has to be able to read the bootloader and the bootloader has to establish enough of the environment to be able to read the kernel and possible encryption keys in order to boot. I have a hard time believing that their boot loader is able to access the encrypted provider directly but if someone can show that it can then be my guest.


----------



## Oko (Jul 19, 2014)

*Re: "Real" Full Disk Encryption like in PC-BSD: Is it possib*



			
				pkubaj said:
			
		

> Of course it's possible to encrypt the whole disk - just not with FreeBSD. OpenBSD recently added such a feature and, I believe, it's the only OS now that can do it. If you need such a feature, go for OpenBSD.


I could care less if it is possible on FreeBSD but I would like to correct you regarding OpenBSD. Of course it is NOT possible to encrypt the whole disk because the BIOS, PROM or whatever firmware you are using has to see the boot loader as somebody already said in this thread. What OpenBSD does is leaving the smallest practically possible part of the disk unencrypted containing meta data about the encrypted softRAID which will allow you to bootstrap OpenBSD.


----------



## nakal (Jul 20, 2014)

*Re: "Real" Full Disk Encryption like in PC-BSD: Is it possib*

I've been playing with different encryption schemes for ages and from my experience I can fully support what @asteriskRoss has said on this topic.


----------

