You simply need to edit /etc/ttys
to prompt for a password in single user mode, although keep in mind anyone with physical access to the machine can still retrieve your data through various methods.
you will find a line that looks like this which is tab delimited in /etc/ttys
:
console none unknown off secure
change the secure part to insecure (very confusing, I know) so the line looks like this:
console none unknown off insecure
upon rebooting and entering single user mode, you will be prompted for a password to get to the shell prompt.
This is what the FreeBSD guys have to say about using the word insecure in /etc/ttys
:
Note: An insecure console means that
you consider your physical security to
the console to be insecure, and want
to make sure only someone who knows
the root password may use single-user
mode, and it does not mean that you
want to run your console insecurely.
Thus, if you want security, choose
insecure, not secure.
1really funny, i'm going favorite this question, so i can have some laughs later on! – alexus – 2009-12-20T04:33:42.970
I dont see whats funny – The BSD Guy – 2009-12-20T05:35:27.253
He likely thinks it's "funny" because anyone with physical access to an unencrypted machine can boot whatever they want and access the raw data of the machine without restrictions. – Chris S – 2014-05-20T15:33:16.920