# Removing kernel level encryption



## ronaldlees (Dec 7, 2015)

There are several countries where being in possession of a disk-encryption capable computer lands you in jail.  Is there any way to *completely* remove kernel level encryption from FreeBSD? I can handle the userland culling myself.

Note this country has good relations with the US, and is not on any list.


----------



## Jeckt (Dec 7, 2015)

Is WITHOUT_CRYPT=1 in /etc/src.conf what you're looking for? (see man page for src.conf(5)).


----------



## ronaldlees (Dec 7, 2015)

Jeckt said:


> Is WITHOUT_CRYPT=1 in /etc/src.conf what you're looking for? (see man page for src.conf(5)).



Jeckt: Thanks for the information. Those seem to be mostly userland build options, and look like they keep OpenSSL, OpenSSH, and Kerberos out of the picture.  But I wonder about GEOM/GELI disk encryption in the kernel. If "device crypto, GEOM_ELI, GEOM_BDE" or any other crypto options are missing from kernel conf, then what? Looking at the crypto man page, it does imply that crypto is supplied by drivers, and is not contained in the kernel.  I want to make sure it's clean. I guess I could try it and see.

I just want to make sure there's *nothing* in the kernel that is crypto related, with the exception of one way hashes.  I'd have to ditch all the crypto related modules, clean up userland, etc.


----------



## Jeckt (Dec 7, 2015)

Those are the two I'd think you'd have to worry about, as ZFS currently doesn't support encryption on FreeBSD, although I'd have to wonder if fuse wouldn't also qualify.  The src.conf options are:

```
WITHOUT_MODULES+= geom_eli geom_bde
```
The modules are in /boot/kernel/, but don't forget to remove the *.ko files in older kernel versions as well.


----------



## ronaldlees (Dec 7, 2015)

You're right about fuse.  Also IPSEC in GENERIC has to go away.  None of this gives me a warm fuzzy.  Maybe Beastie needs to stay at home.


----------

