[PC-BSD Testing] Disk encryption
kris at pcbsd.com
Tue Feb 16 13:44:39 PST 2010
On 02/15/2010 03:56, finid at linuxbsdos.com wrote:
> I'm trying to get a better understanding of how disk encryption on PC-BSD
> works. Here's what I've gleaned by playing with the installer:
> By default, the installer creates slices for /, swap, /var and /usr.
> If you switch to "custom partition ..." and edit the slices, there will be
> options to encrypt each slice. When I chose to encrypt /, the installation
> failed with an error message that amounted to "encryption of / is not
> So I tried the installation again and chose to encrypt /usr. From a real
> security perspective, this does nothing for me. Just trying to get to know
> encryption on PC-BSD. I was expecting the installer to ask for a
> passphrase (this is how it works on Linux). But it did not. Instead it
> generated two random keys and stored them in the /boot/keys directory.
> Now I'm thinking, if I do not know what the keys are, how useful is this
> to me? In any case, I finished the installation and the system rebooted
> without asking me for a key.
> Now my question. How does disk encryption work on PC-BSD? I'm hoping that
> someone with a better understanding of how this works will jump in and
> help me understand how it works.
> I'm assuming that encryption of / is not supported because /boot is a
> directory under it. Wouldn't it be better to create a separate slice for
> /boot? That way / can be encrypted.
> I hope this makes sense to somebody.
You are correct in your assesment. Right now the GUI isn't allowing
encryption of "/" just yet. I've got it on my list to flesh that part of
the installer out for 8.1, such as it automatically creating a small
/boot partition for the kernel / keys to load when you use encryption on
As for the keys, they are simply random passwords essentially, without
those you cannot mount / read the partition. Right now this is more
suited to creating a new file-system, like "/private" or something, so
that you can mount-unmount it on the fly and store private data on it.
However when I add the new gui functionality, it'll be more suitable for
encrypting / or /usr, and prompting for a password at bootup instead,
which is the ultimate goal :)
BTW, just for fun, lots of good info on FreeBSD encryption here:
We are using GELI for our encryption support.
More information about the Testing