On Wed, Oct 10, 2007 at 09:04:34AM -0400, Steve Bertrand wrote: > Hi all, > > I am voraciously attempting to get a FreeBSD system to boot from a GELI > encrypted hard disk, but am having problems.
You don't need to encrypt the whole harddisk. You can encrypt separate slices. There is no need to encrypt stuff like / or /usr; what is there that needs to be kept secret? > All of my searches lead to the same problem...GELI passphrase can not be > entered correctly upon boot. I have tried everything I have found on the > web (including disabling 'kbdmux' in the kernel) to no avail. With a normal AT keyboard I can enter the passphrase without problems, for a non-root partition. > Does anyone have a suggestion for a workaround? Put all the data that really needs to be encrypted on a separate slice, and encrypt that. Leave the rest unencrypted, especially /boot. As a rule of thumb; don't bother encrypting anything that you can just download from the internet. :-) Here's how it looks on my machine; Filesystem Size Used Avail Capacity Mounted on /dev/ar0s1a 496M 126M 330M 28% / devfs 1.0K 1.0K 0B 100% /dev /dev/ar0s1g.eli 120G 82G 28G 75% /home /dev/ar0s1e 496M 16K 456M 0% /tmp /dev/ar0s1f 19G 4.7G 13G 26% /usr /dev/ar0s1d 1.9G 152M 1.6G 8% /var As you can see only /home is encrypted because the rest doesn't hold data worth encrypting. If you encrypted / and /usr, you might actually make the system more vulnerable to a known-plaintext attack, because there are a lot of files with well-known contents there. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
Description: PGP signature