Brussels / 4 & 5 February 2017



Booting FreeBSD from encrypted disk

FreeBSD has supported disk encryption with GBDE and GELI since 2002 and 2005 respectively. However, booting the system required storing the loader and kernel unencrypted so that the requisite GEOM module could be loaded to handle decryption. This became a significantly larger stumbling block with the introduction of ZFS, as having multiple separate partitions detracts from the advantages of ZFS, and also causes headaches when upgrading the operating system. With the growing popularity of ZFS Boot Environments, a solution was needed that allowed the kernel and loader to remain part of the primary file system, even if it was encrypted. This paper provides an overview of the design of the GELI enabled BIOS boot code and loader, as well as the numerous challenges encountered during their development.

A walk through the tale of woe that was implementing support for GELI in the FreeBSD bootcode and loader. Hear the story of a very junior developer persisting through countless complications and roadblocks to finally arrive at working code. Learn just how complicated it is to boot a computer, and how much worse it can get. In the end, we are left with working ZFS Boot Environments, even with fully encrypted pools.


Photo of Allan Jude Allan Jude