Date: Mon, 20 Apr 2020 12:38:12 -0700 From: Mel Pilgrim <list_freebsd@bluerosetech.com> To: questions@freebsd.org Subject: Root on GELI+ZFS without a separate boot pool? Message-ID: <5c8c640c-8811-d7f4-a239-f42fcac3688f@bluerosetech.com>
next in thread | raw e-mail | index | archive | help
Threads on others lists mentioned that with 12-R it's no longer necessary to have a separate boot pool when using a GELI-encrypted root ZFS pool. The documentation I can find only shows the simple case of using a passphrase without a boot pool, or the "legacy" configuration of using keyfiles with a separate boot pool. The use case is data privacy on a failed disk sent back to the OEM under RMA combined with unattended restarts. Prompting for a passphrase can't happen. The means to decrypt the GELI volumes must never be stored on the disk with the encrypted partitions. It seems like it would work if the loader could access a separate filesystem containing just the keys, but nothing in the documentation suggests how to do this. That is, the configuration for using GELI keys assumes the keys are on the same filesytem as the loader. How do I get rid of having a separate /boot pool in my use case?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5c8c640c-8811-d7f4-a239-f42fcac3688f>