From owner-freebsd-questions@FreeBSD.ORG Wed Mar 4 02:03:34 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6AAC1514 for ; Wed, 4 Mar 2015 02:03:34 +0000 (UTC) Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4AF65DB4 for ; Wed, 4 Mar 2015 02:03:33 +0000 (UTC) Received: from blisses.org (cocytus.blisses.org [23.25.209.73]) by phlegethon.blisses.org (Postfix) with ESMTPSA id 11CE9148FA4 for ; Tue, 3 Mar 2015 20:57:55 -0500 (EST) Date: Tue, 3 Mar 2015 20:57:53 -0500 From: Mason Loring Bliss To: freebsd-questions@freebsd.org Subject: GELI key question... Message-ID: <20150304015753.GV3375@blisses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 02:03:34 -0000 Hi all. Right now I've got root-on-ZFS-on-GELI from the 10.x installer, but I don't understand all the moving parts, and I'd love some pointers. In particular, the man pages geli(8) and loader.conf(5) don't tell me what I want. I've got an ultimate goal and a short term goal. The short term goal is to have a key on a USB stick (maybe in a UFS2 partition, maybe just data on the disk itself - doesn't matter) and have loader.conf reference that as the key to unlock my root disk(s), for unattended boot as long as the USB stick is inserted in the system. First thing that's unclear: Where is the GELI syntax for loader.conf documented? The GELI man page gives examples of use, but it doesn't say how the configs are composed. For example, it shows this: geli_da0_keyfile0_load="YES" geli_da0_keyfile0_type="da0:geli_keyfile0" geli_da0_keyfile0_name="/boot/keys/da0.key0" Is the name of the variable fixed there? What's interpreting it? Would this be valid? geli_foo_keyfile0_load="YES" geli_foo_keyfile0_type="da0:geli_keyfile0" geli_foo_keyfile0_name="/boot/keys/da0.key0" The _type variable seems to specify the device to which the variable applies. I don't know if the variable name is freeform(ish) or if the da0 needs to be duplicated as it in in the man page's example. More relevant, can the _name variable specify another device? If so, can I use gpt labels for this, so that I can point to gpt/keypart? Or are those only available once the system has booted? I'd like to not have to depend on the USB key having the same device on each boot, and gpt labels seem ideal for this. Next, I don't see loader.conf specifying which slot to use. I could be confusing the concepts... My understanding is that there is one key and a couple slots for user keys. Is my idea of having the bootloader default to the USB stick unless it's not there and use a file-and-passphrase already on /boot otherwise feasible? I'm not sure how to specify an order to try, never mind the location on another device of one of the keys. I'm sure I've forgotten something in the midst of all this, so anything obvious I'm missing would be greatly appreciated. PS: I now see some of the name composition stuff in sys/boot/forth/support.4th but I don't claim to know Forth and I'm having some trouble reading it at present. end_of_line? if 0 else letter? digit? underscore? dot? or or or then I should learn Forth. But anyway... Thank you kindly in advance for pointers and help! -- Mason Loring Bliss (( "In the drowsy dark cave of the mind dreams mason@blisses.org )) build their nest with fragments dropped http://blisses.org/ (( from day's caravan." - Rabindranath Tagore