# FreeBSD + GELI with /boot on a separate USB dongle



## Pinch (Mar 26, 2013)

Hello.

I'm currently working on my homeserver, which needs to be fully encrypted. I thought of encrypting my internal *SSD* with *GELI* and using a few GELI + ZFS drives for storage. But none of the setup guides covered the aspect of */boot on a separate USB dongle*, only plugged in during the boot process.

There are only a few questions remaining until I feel prepared enough to start the setup:

How do I boot with the bootloader installed in the MBR of the SSD from my USB dongle with the /boot partition?
The handbook states, that key files are used to encrypt, in addition to a passphrase, the master key. Is it possible to encrypt the key file with GnuPGP as I would with GNU/Linux?
Is there a more rational way to realize a fully encrypted FreeBSD system?

Thanks.


----------



## xy16644 (Mar 26, 2013)

I have also often wondered about having /boot on a separate USB stick (with an encryption key).


----------



## kpa (Mar 26, 2013)

In general you can't have /boot on a separate filesystem.  You can't boot directly from an encrypted filesystem so in case of a GELI encrypted system the boot media must be unencrypted to load the kernel and the keys in the first place.

The usual trick is to have just enough of a working system on the boot media (for example an USB memory stick), basically just the /boot folder with /boot/loader.conf that directs the boot blocks to load the kernel from the USB memory stick plus the necessary settings and key files for GELI.

When the kernel is launched the root filesystem is set to the encrypted root filesystem. The kernel knows that it's a GELI encrypted filesystem and uses the pre-loaded keys before trying to access the filesystem.

On the running system the memory stick is mounted at (for example) /bootdir and /boot is a symbolic link to /bootdir/boot so that any modifications to boot settings are synced to the USB memory stick.


----------



## Pinch (Mar 26, 2013)

kpa said:
			
		

> In general you can't have /boot on a separate filesystem.



You mean the bootloader can't boot from a /boot partition on a different drive?



			
				kpa said:
			
		

> You can't boot directly from an encrypted filesystem so in case of a GELI encrypted system the boot media must be unencrypted to load the kernel and the keys in the first place.



That's exactly why I want to the /boot partition to be installed on my USB thumb drive to carry around with. So you mean I should run the root partition on a separate drive (from the bootloader's and BIOS' point of view)?


----------



## kpa (Mar 26, 2013)

I mean you can't do this in /etc/fstab:


```
/some/device /boot ufs rw 1 2
```

The boot loaders look for the /boot/loader binary from the first slice, a partition of the disk that the system is booting from, in case of GPT the procedure is a bit different because with GPT there are no slices and partitions are identified by type.


----------



## fonz (Mar 26, 2013)

As said by @kpa: the drive you're booting from needs *a* root filesystem containing /boot. If it's on a USB pen drive then said pen drive can be removed after during/after booting as soon as the real (decrypted) root filesystem has been mounted, but still it needs at least a _temporary_ root filesystem to boot from.


----------

