DragonFly BSD

encrypt-boot

Work in progress!

How to achive true full-disk encryption (FDE)

Introduction

DragonFlyBSD supports encryption and booting from encrypted root natively via CRYPTSETUP(8) and INITRD(7). However, to boot DragonFlyBSD in the first place, a plain-text boot partition is needed. Through a more elaborate boot process, it is possible to encrypt even the boot partition.

Motivation

Why would someone want to do that? Let's take this hypothetical scenario: At the airport your Laptop is confiscated with the intention of data extraction. An encrypted root or home partition might be an apparent road block, but what stops a malicious actor from modifying the kernel in the boot partition directly to send all your private information on the next boot? - Nothing. We can prevent this by encrypting /boot and-or cryptographically signing the kernel. Whether this is a rational security step or not, can only be ascertained by your threat model. From the perspective of my threat model, performing the encryption of the boot partition is beyond paranoid. But it is still interesting to setup and learn from this nonetheless.