[PC-BSD Testing] Disk encryption

Kris Moore kris at pcbsd.com
Tue Feb 16 13:44:39 PST 2010

On 02/15/2010 03:56, finid at linuxbsdos.com wrote:
> I'm trying to get a better understanding of how disk encryption on PC-BSD
> works. Here's what I've gleaned by playing with the installer:
> By default, the installer creates slices for /, swap, /var and /usr.
> If you switch to "custom partition ..." and edit the slices, there will be
> options to encrypt each slice. When I chose to encrypt /, the installation
> failed with an error message that amounted to "encryption of / is not
> supported."
> So I tried the installation again and chose to encrypt /usr. From a real
> security perspective, this does nothing for me. Just trying to get to know
> encryption on PC-BSD. I was expecting the installer to ask for a
> passphrase (this is how it works on Linux). But it did not. Instead it
> generated two random keys and stored them in the /boot/keys directory.
> Now I'm thinking, if I do not know what the keys are, how useful is this
> to me? In any case, I finished the installation and the system rebooted
> without asking me for a key.
> Now my question. How does disk encryption work on PC-BSD? I'm hoping that
> someone with a better understanding of how this works will jump in and
> help me understand how it works.
> I'm assuming that encryption of / is not supported because /boot is a
> directory under it. Wouldn't it be better to create a separate slice for
> /boot? That way / can be encrypted.
> I hope this makes sense to somebody.
> Thanks,
> --
> FD

You are correct in your assesment. Right now the GUI isn't allowing 
encryption of "/" just yet. I've got it on my list to flesh that part of 
the installer out for 8.1, such as it automatically creating a small 
/boot partition for the kernel / keys to load when you use encryption on 

As for the keys, they are simply random passwords essentially, without 
those you cannot mount / read the partition. Right now this is more 
suited to creating a new file-system, like "/private" or something, so 
that you can mount-unmount it on the fly and store private data on it. 
However when I add the new gui functionality, it'll be more suitable for 
encrypting / or /usr, and prompting for a password at bootup instead, 
which is the ultimate goal :)

BTW, just for fun, lots of good info on FreeBSD encryption here:

We are using GELI for our encryption support.


Kris Moore
PC-BSD Software

More information about the Testing mailing list