Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 21 Aug 2011 12:17:13 +1000
From:      leon zadorin <leonleon77@gmail.com>
To:        freebsd-geom@freebsd.org
Subject:   potential problem with gpart, glabel and geli when using "ask for a passphrase on boot" option
Message-ID:  <CAPpySAYxM5jNx-deou-q6=X=Sdy66zMUCNm6TJFXn=2CUKO11Q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hello everyone,

There appears to be a problem with how geli geom module treats "ask
for a passphrase on boot" option when the system is booting (or I
probably don't know the right way of doing this...) on 8.2-release
branch.

Essentially, I have a disk, for illustration purposes let's call it
"/dev/aaa", which is first labeled permanently (with glabel) as let's
say "/dev/label/ccc" and then setup with gpart to use gpt partition
scheme.

So far so good...

I then initialize one of the gpt partitions (/dev/label/cccp2) to be
used by a geli encryption module with "ask for a passphrase on boot"
option... something like this:
geli init -b -v -a hmac/sha256 -B none /dev/label/cccp2

the problem is that when the system boots, it asks for a passphrase on
*multiple* devices/partitions:
/dev/aaap2
/dev/gpt/bbb (where bbb is guid of the gpt partition in question)
/dev/label/cccp2

Clearly -- since I had applied the 'geli init -b' to /dev/label/cccp2
only, it would be ideal if geli was asking for the passphrase only for
1 device/partition: /dev/label/cccp2

It would appear however that geli might be using some sort of
value/data written to a partition to indicate that it may need to ask
for passphrase on boot (?), and since  each of /dev/aaap2,
/dev/gpt/bbb, /dev/label/cccp2 are synonymous w.r.t. such a data -- it
decides to ask for passphrase everytime a given "/dev/...." entry gets
attached?

Any way around this? Am I doing something wrong here? Or is there some
way in 'loader.conf' to tell geli geom provider to ignore certain
"/dev/..." entries?

Best regards
Leon.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPpySAYxM5jNx-deou-q6=X=Sdy66zMUCNm6TJFXn=2CUKO11Q>