FreeBSD password-checking boot module
The file that goes by the name of
a set of commands designed to do one or more of the following:
o Prevent booting without
o Prevent modification of boot
options without password
o Provide a password to mount geli(8)
encrypted root disk(s)
The commands of
themselves are not enough for most uses. Please refer to the examples below
for the most common situations, and to
for additional commands.
Before using any of the commands provided in
check-password.4th, it must be included through the
This line is present in /boot/loader.4th
file, so it is not needed (and should not be re-issued) in a normal
The commands provided by it are:
- Multi-purpose function that can protect the interactive boot menu, prevent
boot without password, or prompt for geli(8) passphrase (depending on
First checks bootlock_password and
if-set, the user cannot continue until the correct password is
Next, checks geom_eli_passphrase_prompt
and if set to
YES (case-insensitive) prompts the
user to enter their GELI password for later mounting of the root
device(s) during boot.
Last, checks password and if-set, tries
autoboot and only prompts for password on
failure or user-interrupt. See
for additional information.
The environment variables that effect its behavior are:
- Sets the bootlock password (up to 255 characters long) that is required by
check-password to be entered before the system is
allowed to boot.
- Selects whether loader(8) will prompt for GELI credentials, handing-off to
the kernel for later mounting of
encrypted root device(s).
- Sets the password (up to 255 characters long) that is required by
check-password before the user is allowed to visit
the boot menu.
Standard i386 /boot/loader.rc:
Set a password in
to prevent modification of boot options:
Set a password in
to prevent booting without password:
Add the following to
to generate a prompt at boot to collect GELI credentials for mounting
encrypted root device(s):
check-password.4th set of commands first appeared in
check-password.4th set of commands was written by
Devin Teske ⟨dteske@FreeBSD.org⟩.