# Single user mode + ZFS full disk encryption security?



## Eponymous (May 28, 2016)

Hi,

I'm fairly new to FreeBSD and was just wanting to confirm one thing.

Am I right in assuming that if I have ZFS set up with GELI encryption on the root and swap that single user mode is in effect - secure, without having to change the console entry in /etc/ttys?

I've just noticed that I still have:

```
/etc/ttys:

console none                            unknown off secure
```

And am concerned someone is able to get full access to the system, but I'm not sure as I set up ZFS full disk encryption at install.

Sorry if this is an obvious question but I've not found anything concrete in the documentation/handbook.


----------



## atomicbeef (May 28, 2016)

Hello Eponymous,

Since your disk is encrypted with GELI, you would need to provide a keyfile or password in order to mount it. Once the disk is mounted, the boot process continues as it normally does when booting into single user mode. Without making the console `insecure`, you'll still be able to get a root shell without a password and do whatever you want to the system. Disk encryption only prevents people from accessing the data on the encrypted medium when it is not mounted. Once it is mounted, disk encryption will not provide any security over a non encrypted disk. In your case, you'll probably be fine with leaving the console as `secure`, but if you are really paranoid, you should make the console `insecure`.


----------

