BSDCan2016 - v1.1.24a

BSDCan 2016
The Technical BSD Conference

Allan Jude
Day Talks #2 - 11 June - 2016-06-11
Room DMS 1120
Start time 11:15
Duration 01:00
ID 674
Event type Lecture
Track Security
Language used for presentation English

Booting from Encrypted Disks on FreeBSD

GELI in the boot code

FreeBSD has supported disk encryption with GBDE and GELI since 2002 and 2005 respectively. However, booting the system required storing the loader and kernel unencrypted so that the requisite GEOM module could be loaded to handle decryption. This became a significantly larger stumbling block with the introduction of ZFS, as having multiple separate partitions detracts from the advantages of ZFS, and also causes headaches when upgrading the operating system. With the growing popularity of ZFS Boot Environments, a solution was needed that allowed the kernel and loader to remain part of the primary file system, even if it was encrypted. This paper provides an overview of the design of the GELI enabled boot code and loader, as well as the numerous challenges encountered during their development.

A walk through the tale of woe that was implementing support for GELI in the FreeBSD bootcode and loader. Hear the story of a very junior developer persisting through countless complications and roadblocks to finally arrive at working code. Learn just how complicated it is to boot a computer, and how much worse it can get. In the end, we are left with working ZFS Boot Environments, even with fully encrypted pools.


  • The x86 boot process

    • MBR

    • GPT

  • Investigation Stage

  • Initial Implementation

  • Roadblocks

  • Dealing with UFS

  • Overcoming Limits

  • Adding More Encryption

  • Password Caching