From owner-freebsd-geom@freebsd.org Sun Aug 18 13:46:16 2019 Return-Path: Delivered-To: freebsd-geom@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 77225C8084 for ; Sun, 18 Aug 2019 13:46:16 +0000 (UTC) (envelope-from coco@executive-computing.de) Received: from mail.moehre.org (mail.moehre.org [195.96.35.7]) by mx1.freebsd.org (Postfix) with ESMTP id 46BJHW0yWLz4YMx for ; Sun, 18 Aug 2019 13:46:14 +0000 (UTC) (envelope-from coco@executive-computing.de) Received: from mail.moehre.org (unknown [195.96.35.7]) by mail.moehre.org (Postfix) with ESMTP id D1BDD3EF11 for ; Sun, 18 Aug 2019 15:46:06 +0200 (CEST) X-Spam-Flag: NO X-Spam-Score: -100.918 X-Spam-Level: X-Spam-Status: No, score=-100.918 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1, AWL=0.005, TW_ZF=0.077, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mail.moehre.org ([195.96.35.7]) by mail.moehre.org (mail.moehre.org [195.96.35.7]) (amavisd-new, port 10024) with ESMTP id XtrZku2XJTXq for ; Sun, 18 Aug 2019 15:46:06 +0200 (CEST) Received: from localhost (p5B2F1337.dip0.t-ipconnect.de [91.47.19.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: coco@executive-computing.de) by mail.moehre.org (Postfix) with ESMTPSA id 670973EF0B for ; Sun, 18 Aug 2019 15:46:06 +0200 (CEST) Date: Sun, 18 Aug 2019 15:46:02 +0200 From: Marco Steinbach To: freebsd-geom@freebsd.org Subject: 11.3: GELI attach: Wrong key despite correct passphrase Message-ID: <20190818154602.00003fa8@executive-computing.de> X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-w64-mingw32) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46BJHW0yWLz4YMx X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of coco@executive-computing.de designates 195.96.35.7 as permitted sender) smtp.mailfrom=coco@executive-computing.de X-Spamd-Result: default: False [-2.92 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-geom@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-0.996,0]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[executive-computing.de]; NEURAL_HAM_SHORT(-0.72)[-0.723,0]; IP_SCORE(-0.00)[country: DE(-0.01)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8354, ipnet:195.96.32.0/19, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[55.19.47.91.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10] X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2019 13:46:16 -0000 Hi. I have two bootable SSDs, both installed using a GELI encrypted root on ZFS. Both use the same passphrase, both boot, if I enter that passphrase at GELIs prompt. One contains a GELI encrypted ZFS on root installed using the 11.1-RELEASE installer, which was source upgraded to 12 (without upgrading the zpools). The other also contains a GELI encrypted ZFS on root, but installed using the 11.3-RELEASE installer. This one was source upgraded to 11.3-STABLE r350677. I'd like to copy over data from the 12 to the 11.3 drive, so I put the 12 one into an external USB enclosure. root@bsdbuch:~ # uname -a FreeBSD bsdbuch.c0c0.intra 11.3-STABLE FreeBSD 11.3-STABLE #0 r350677: Sun Aug 18 04:43:08 CEST 2019 root@bsdbuch.c0c0.intra:/usr/obj/usr/src/sys/GENERIC amd64 Internal 11.3 root@bsdbuch:~ # gpart show ada0 => 40 1953525088 ada0 GPT (932G) 40 1024 1 freebsd-boot (512K) 1064 984 - free - (492K) 2048 16777216 2 freebsd-swap (8.0G) 16779264 1936744448 3 freebsd-zfs (924G) 1953523712 1416 - free - (708K) External 12 USB root@bsdbuch:~ # gpart show da0 => 40 1953525088 da0 GPT (932G) 40 409600 1 efi (200M) 409640 1024 2 freebsd-boot (512K) 410664 984 - free - (492K) 411648 4194304 3 freebsd-zfs (2.0G) 4605952 33554432 4 freebsd-swap (16G) 38160384 1915363328 5 freebsd-zfs (913G) 1953523712 1416 - free - (708K) root@bsdbuch:~ # geli attach /dev/da0p5 Enter passphrase: geli: Wrong key for da0p5. I've then imported the bootpool from da0, and mounted it, so I can try using the key in boot/ root@bsdbuch:~ # geli attach -k /bootpool/boot/ada0p5.eli /dev/da0p5 Enter passphrase: geli: Wrong key for da0p5. If I put the 11.3 drive into the external enclosure, and boot from the 12 drive, I can attach the 11.3 GELI provider without error using the exact same passphrase (and without using a key) Am I missing something ? MfG CoCo From owner-freebsd-geom@freebsd.org Sun Aug 18 15:27:31 2019 Return-Path: Delivered-To: freebsd-geom@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E046CC9C07 for ; Sun, 18 Aug 2019 15:27:31 +0000 (UTC) (envelope-from cyberleo@cyberleo.net) Received: from mail.cyberleo.net (paka.cyberleo.net [216.226.128.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46BLXL6Td8z4dlW for ; Sun, 18 Aug 2019 15:27:30 +0000 (UTC) (envelope-from cyberleo@cyberleo.net) Received: from [IPv6:2001:470:1f11:36f:80e7:596d:1d59:605a] (unknown [IPv6:2001:470:1f11:36f:80e7:596d:1d59:605a]) by mail.cyberleo.net (Postfix) with ESMTPSA id 93D6D82043; Sun, 18 Aug 2019 11:21:00 -0400 (EDT) Subject: Re: 11.3: GELI attach: Wrong key despite correct passphrase To: Marco Steinbach , freebsd-geom@freebsd.org References: <20190818154602.00003fa8@executive-computing.de> From: CyberLeo Kitsana Message-ID: <96f3e2f5-ab4c-19c9-2f68-e42bb0e8aab4@cyberleo.net> Date: Sun, 18 Aug 2019 10:20:51 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <20190818154602.00003fa8@executive-computing.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46BLXL6Td8z4dlW X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=cyberleo.net; spf=pass (mx1.freebsd.org: domain of cyberleo@cyberleo.net designates 216.226.128.180 as permitted sender) smtp.mailfrom=cyberleo@cyberleo.net X-Spamd-Result: default: False [-3.37 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:216.226.128.180]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(-0.01)[country: US(-0.05)]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.56)[-0.555,0]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[cyberleo.net,none]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:13706, ipnet:216.226.128.0/24, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2019 15:27:31 -0000 On 8/18/19 8:46 AM, Marco Steinbach wrote: > Hi. > > I have two bootable SSDs, both installed using a GELI encrypted root on > ZFS. > I've then imported the bootpool from da0, and mounted it, so I can try > using the key in boot/ > > root@bsdbuch:~ # geli attach -k /bootpool/boot/ada0p5.eli /dev/da0p5 > Enter passphrase: > geli: Wrong key for da0p5. Did you intend on combining both a keyfile AND a passphrase here? If not, include the -p option to instruct geli to avoid asking for a passphrase to mix in. It might also help to include the output of 'geli dump' for both of the affected providers. You can obscure the 'Salt' and 'Master Key' portions if you so desire. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Element9 Communications http://www.Element9.net Furry Peace! - http://www.fur.com/peace/ From owner-freebsd-geom@freebsd.org Sun Aug 18 19:05:41 2019 Return-Path: Delivered-To: freebsd-geom@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E13F8CEAD0 for ; Sun, 18 Aug 2019 19:05:41 +0000 (UTC) (envelope-from coco@executive-computing.de) Received: from mail.moehre.org (mail.moehre.org [195.96.35.7]) by mx1.freebsd.org (Postfix) with ESMTP id 46BRN463RQz3MlS for ; Sun, 18 Aug 2019 19:05:40 +0000 (UTC) (envelope-from coco@executive-computing.de) Received: from mail.moehre.org (unknown [195.96.35.7]) by mail.moehre.org (Postfix) with ESMTP id 6C8EA37A60 for ; Sun, 18 Aug 2019 21:05:39 +0200 (CEST) X-Spam-Flag: NO X-Spam-Score: -100.948 X-Spam-Level: X-Spam-Status: No, score=-100.948 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1, AWL=0.052, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mail.moehre.org ([195.96.35.7]) by mail.moehre.org (mail.moehre.org [195.96.35.7]) (amavisd-new, port 10024) with ESMTP id k4OUWAnozWKx for ; Sun, 18 Aug 2019 21:05:37 +0200 (CEST) Received: from localhost (p5B2F1337.dip0.t-ipconnect.de [91.47.19.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: coco@executive-computing.de) by mail.moehre.org (Postfix) with ESMTPSA id 2111337A5A for ; Sun, 18 Aug 2019 21:05:37 +0200 (CEST) Date: Sun, 18 Aug 2019 21:05:31 +0200 From: Marco Steinbach To: freebsd-geom@freebsd.org Subject: Re: 11.3: GELI attach: Wrong key despite correct passphrase Message-ID: <20190818210531.00006ffa@executive-computing.de> In-Reply-To: <96f3e2f5-ab4c-19c9-2f68-e42bb0e8aab4@cyberleo.net> References: <20190818154602.00003fa8@executive-computing.de> <96f3e2f5-ab4c-19c9-2f68-e42bb0e8aab4@cyberleo.net> X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-w64-mingw32) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46BRN463RQz3MlS X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of coco@executive-computing.de designates 195.96.35.7 as permitted sender) smtp.mailfrom=coco@executive-computing.de X-Spamd-Result: default: False [-2.91 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.997,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-geom@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-0.997,0]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[executive-computing.de]; NEURAL_HAM_SHORT(-0.71)[-0.714,0]; IP_SCORE(-0.00)[country: DE(-0.01)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8354, ipnet:195.96.32.0/19, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[55.19.47.91.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10] X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2019 19:05:41 -0000 On Sun, 18 Aug 2019 10:20:51 -0500 CyberLeo Kitsana wrote: > On 8/18/19 8:46 AM, Marco Steinbach wrote: > > Hi. > > > > I have two bootable SSDs, both installed using a GELI encrypted > > root on ZFS. > > > > > I've then imported the bootpool from da0, and mounted it, so I can > > try using the key in boot/ > > > > root@bsdbuch:~ # geli attach -k /bootpool/boot/ada0p5.eli /dev/da0p5 > > Enter passphrase: > > geli: Wrong key for da0p5. > > Did you intend on combining both a keyfile AND a passphrase here? If > not, include the -p option to instruct geli to avoid asking for a > passphrase to mix in. > > It might also help to include the output of 'geli dump' for both of > the affected providers. You can obscure the 'Salt' and 'Master Key' > portions if you so desire. > I think there's a misunderstanding. I merely want to attach the GELI created by the 11.1 installer to a newly installed 11.3 system. MfG CoCo From owner-freebsd-geom@freebsd.org Sun Aug 18 21:00:23 2019 Return-Path: Delivered-To: freebsd-geom@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2C581D0DD7 for ; Sun, 18 Aug 2019 21:00:23 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 46BTwQ6QgMz3xdN for ; Sun, 18 Aug 2019 21:00:22 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.nyi.freebsd.org (Postfix) id D79A8D0DD0; Sun, 18 Aug 2019 21:00:22 +0000 (UTC) Delivered-To: geom@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D6A31D0DCF for ; Sun, 18 Aug 2019 21:00:22 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46BTwQ534Cz3xdC for ; Sun, 18 Aug 2019 21:00:22 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8F3837D93 for ; Sun, 18 Aug 2019 21:00:22 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x7IL0MQa019324 for ; Sun, 18 Aug 2019 21:00:22 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x7IL0Mst019323 for geom@FreeBSD.org; Sun, 18 Aug 2019 21:00:22 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201908182100.x7IL0Mst019323@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: geom@FreeBSD.org Subject: Problem reports for geom@FreeBSD.org that need special attention Date: Sun, 18 Aug 2019 21:00:22 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2019 21:00:23 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- In Progress | 218679 | [geli] add a verify command Open | 238814 | geom: topology lock being dropped in dumpconf of 2 problems total for which you should take action. From owner-freebsd-geom@freebsd.org Sun Aug 18 22:27:47 2019 Return-Path: Delivered-To: freebsd-geom@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BC4A6D2FCF for ; Sun, 18 Aug 2019 22:27:47 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46BWsG5sz4z437b for ; Sun, 18 Aug 2019 22:27:46 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mail-vs1-xe2d.google.com with SMTP id c7so7087686vse.11 for ; Sun, 18 Aug 2019 15:27:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LDAMXFLWJKwhSek+26qyKvzGYmcxrLAscCAbirzEMK8=; b=R5rTzyvEK/nnWCL2OF7qcGBbbkOJnqSjj8fF7yF5MZurB6yeBgD8J8msTdHKK1JcQM 85VDx2hf278xatS6pz30j+zxnoR2aElpWnCBkKiddOJYg7MO7Q8qEEg0rabawpQZjYLK JmekAV/u/qOqh6V0zunNQuTw2i90oxai8cflwC84/qCwiU/FFPBzbzJhfYyL3nz2rgXl Eom9JKDeFZp6YF4SFl5DO/ecneayWn4KapvymmL4cygTu9LfSCUMynWJ0KWuuIzN64TS v4/+0rmMcvM9sKABow8MGtsTaDbL4sd+9j7PtLM08cH1TolekkIz0fIDZ0OzOl4jbM7/ T2xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LDAMXFLWJKwhSek+26qyKvzGYmcxrLAscCAbirzEMK8=; b=ZhZf0EgxRjdt7YSuR2Xv0EGeQMTnkNtarknnXp1FuJS1ZDG9iYbfkSFAobDVMa7BJa CpszvVU2iR8N8X4/JzrywSrt/Ma4YhiYeHdJeE71giyZw2tc0hTk15FPYHZqIOzqIzV2 ApHCg6tOZvXoEm6cKMwsd66/ewpiz6UgxFFom1he3kROElBqsbMEmf7EPCpHFTQIY6lM R5TUEKUwX9Yluvj/qq4XpE5ZhNaZRHB+bM1fCABA9V6M1rPi5cWxshhK+Hldw6BzfpJd iNOFvfrNB7I29DcNCn4pMZYk1GXlUluMiUFzoMbiNYVnX9zms6UoE19RTI8ItlEAgACE 129A== X-Gm-Message-State: APjAAAW73y1c8N8JzIvOGA5zEoy/XQ3jFrLR0rITS0Va9ExOddp2DoUK WQfuGF9EQL6qJu7/FQJIenTdNbi9zNdNJokN8fg7gw== X-Google-Smtp-Source: APXvYqwFCvUc9Ap87jAKZ9i+3ttgbyw7QsQGtuzvKQTiUEWFwrJb4QM2TdmnVzZuYNIJ2SgvRP4QiQ6KXRLwiOhFP1U= X-Received: by 2002:a67:ce83:: with SMTP id c3mr11515906vse.98.1566167265443; Sun, 18 Aug 2019 15:27:45 -0700 (PDT) MIME-Version: 1.0 References: <20190818154602.00003fa8@executive-computing.de> <96f3e2f5-ab4c-19c9-2f68-e42bb0e8aab4@cyberleo.net> <20190818210531.00006ffa@executive-computing.de> In-Reply-To: <20190818210531.00006ffa@executive-computing.de> From: Ben Woods Date: Mon, 19 Aug 2019 06:27:34 +0800 Message-ID: Subject: Re: 11.3: GELI attach: Wrong key despite correct passphrase To: Marco Steinbach Cc: freebsd-geom@freebsd.org X-Rspamd-Queue-Id: 46BWsG5sz4z437b X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=R5rTzyvE; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of woodsb02@gmail.com designates 2607:f8b0:4864:20::e2d as permitted sender) smtp.mailfrom=woodsb02@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; URI_COUNT_ODD(1.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-0.995,0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-9.73), ipnet: 2607:f8b0::/32(-2.95), asn: 15169(-2.38), country: US(-0.05)]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-geom@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[d.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2019 22:27:47 -0000 On Mon, 19 Aug 2019 at 3:05 am, Marco Steinbach wrote: > On Sun, 18 Aug 2019 10:20:51 -0500 > CyberLeo Kitsana wrote: > > > On 8/18/19 8:46 AM, Marco Steinbach wrote: > > > Hi. > > > > > > I have two bootable SSDs, both installed using a GELI encrypted > > > root on ZFS. > > > > > > > > > I've then imported the bootpool from da0, and mounted it, so I can > > > try using the key in boot/ > > > > > > root@bsdbuch:~ # geli attach -k /bootpool/boot/ada0p5.eli /dev/da0p5 > > > Enter passphrase: > > > geli: Wrong key for da0p5. > > > > Did you intend on combining both a keyfile AND a passphrase here? If > > not, include the -p option to instruct geli to avoid asking for a > > passphrase to mix in. > > > > It might also help to include the output of 'geli dump' for both of > > the affected providers. You can obscure the 'Salt' and 'Master Key' > > portions if you so desire. > > > > I think there's a misunderstanding. > > I merely want to attach the GELI created by the 11.1 installer to a > newly installed 11.3 system. > > MfG CoCo Indeed, but what secrets do you need to provide to decrypt the geli providers (passphrase, passfile, keyfile)? The command above will use both a keyfile and prompt for a passphrase - was this your intention? The =E2=80=9Cattach=E2=80=9D section of this manpage has more details if re= quired: https://man.freebsd.org/geli Cheers, Ben > -- -- From: Benjamin Woods woodsb02@gmail.com From owner-freebsd-geom@freebsd.org Sun Aug 18 22:30:21 2019 Return-Path: Delivered-To: freebsd-geom@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C6313D3036 for ; Sun, 18 Aug 2019 22:30:21 +0000 (UTC) (envelope-from a@carniajeu.com) Received: from mail-yw1-xc2c.google.com (mail-yw1-xc2c.google.com [IPv6:2607:f8b0:4864:20::c2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46BWwD36qWz439n for ; Sun, 18 Aug 2019 22:30:20 +0000 (UTC) (envelope-from a@carniajeu.com) Received: by mail-yw1-xc2c.google.com with SMTP id n205so3538906ywb.10 for ; Sun, 18 Aug 2019 15:30:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=belngo-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:cc; bh=mpYOIUKJIO5u5+OpAiFSxPBiIqHiMuXZKOU1dyZ67SU=; b=UjPNGT6+JG0uqiXA4plmoRzeBjCM+/vHCCNBii4hzL30VCuGbHVVlZZAzjVW4iBHEI w33BARcKgcDCaFdvAFH068sxioRpMEZCc34oeDLoyK+aPr0MvUX4zSugy/Bc2e7cqsii ifHtHqR8amLDOKhNzB4XfMlAiD/PnmOq0tmhNa6aiFH7fgJq6udxHw+tYjwfin3SMcPE 9/PHn3e69f3260/dBYpFocA63NMiHsENWhH2wesF7csyH2/991qMIuBoNqXIrk2n3fbe m/oBOs02NxFUMoM8aDRvlIXow+qDFpU9C36NQosZpjTivzubn4UebsBQa/AH2SEA1bem 1GbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:cc; bh=mpYOIUKJIO5u5+OpAiFSxPBiIqHiMuXZKOU1dyZ67SU=; b=lS9LRkHVTkbstGD2iDeCThnrz5SUn3Ckui4hLk8JX7gJ2Is6AxRPrzvYI/XPKzNHG2 AdDwFJRVX39XqVElLB6H+w58FecFF2AxVenufVhWIDI6OUSmnKJmvQB1U8zRI/GRXk2I EZJum9scmnSrHbWRVKgjghHCIceuVXkmfDXtkvzMsDf3AZ8T9fGnwQOXGu3eizwGgbfj M5XsPrMzrXJ42XqG4O6ZhMYqE443O41fM7kCw5hX4mA0PloemWgR2BuEoVUu7cnq69yB VW75pf1csXKGlV3eCBQ7S+4ZiDNmYQnpgZ4WjXqfBroowxr7+Tp8ifgCXdGayuXdGtpy DwEg== X-Gm-Message-State: APjAAAVvgK/DUVay+5mW4gpYTknoPV9Eb027JXsIVrxwNPI6STzs6PBE 42qZQmf1JAO/lRS6Ongtz2Js3D4+ryPsmM30M+W3E2rn9oM= X-Google-Smtp-Source: APXvYqw0uRrEPPJk2Ah1GVOB6T2ERlWg9bNlvGNULHrhlpyOyGnYXiNeShXXLG/iE4kVWJfSn4Amm/39GP0rxb1hqSA= X-Received: by 2002:a81:7b41:: with SMTP id w62mr12069641ywc.383.1566167419011; Sun, 18 Aug 2019 15:30:19 -0700 (PDT) MIME-Version: 1.0 References: <20190818154602.00003fa8@executive-computing.de> <96f3e2f5-ab4c-19c9-2f68-e42bb0e8aab4@cyberleo.net> <20190818210531.00006ffa@executive-computing.de> In-Reply-To: <20190818210531.00006ffa@executive-computing.de> From: Alaksiej Date: Mon, 19 Aug 2019 01:29:59 +0300 Message-ID: Subject: Re: 11.3: GELI attach: Wrong key despite correct passphrase Cc: freebsd-geom X-Rspamd-Queue-Id: 46BWwD36qWz439n X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=belngo-info.20150623.gappssmtp.com header.s=20150623 header.b=UjPNGT6+; dmarc=none; spf=none (mx1.freebsd.org: domain of a@carniajeu.com has no SPF policy when checking 2607:f8b0:4864:20::c2c) smtp.mailfrom=a@carniajeu.com X-Spamd-Result: default: False [-0.96 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.11)[-0.112,0]; R_DKIM_ALLOW(-0.20)[belngo-info.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-geom@freebsd.org]; DMARC_NA(0.00)[belngo.info]; URI_COUNT_ODD(1.00)[3]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[belngo-info.20150623.gappssmtp.com:+]; NEURAL_SPAM_LONG(0.10)[0.099,0]; RCVD_IN_DNSWL_NONE(0.00)[c.2.c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MISSING_TO(2.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.981,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[ac@belngo.info,a@carniajeu.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-2.97)[ip: (-9.46), ipnet: 2607:f8b0::/32(-2.95), asn: 15169(-2.38), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[ac@belngo.info,a@carniajeu.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2019 22:30:21 -0000 Hello Marco, To the best of my knowledge geli in 11.3 should be absolutely capable to attach geom created in 11.1. So when the utility reports "Wrong key" there's a big chance it is telling you truth, and something in the key data you are supplying to it is wrong. Key data here can be either password, or key(s), or password + key(s). CyberLeo's suggestion is that maybe your 11.1-created SSD doesn't require password at all. Which can be reasonable guess if, for example, both disks were used in the same computer, and you were asked for your password just once every boot. (Your initial message is not specific on how those SSDs were used). If it's not the case, then we should suspect key(s) part. Check the /boot/loader.conf file on 11.1-created SSD: are there any geli_*_keyfile_* lines? On Sun, Aug 18, 2019 at 10:05 PM Marco Steinbach < coco@executive-computing.de> wrote: > On Sun, 18 Aug 2019 10:20:51 -0500 > CyberLeo Kitsana wrote: > > > On 8/18/19 8:46 AM, Marco Steinbach wrote: > > > Hi. > > > > > > I have two bootable SSDs, both installed using a GELI encrypted > > > root on ZFS. > > > > > > > > > I've then imported the bootpool from da0, and mounted it, so I can > > > try using the key in boot/ > > > > > > root@bsdbuch:~ # geli attach -k /bootpool/boot/ada0p5.eli /dev/da0p5 > > > Enter passphrase: > > > geli: Wrong key for da0p5. > > > > Did you intend on combining both a keyfile AND a passphrase here? If > > not, include the -p option to instruct geli to avoid asking for a > > passphrase to mix in. > > > > It might also help to include the output of 'geli dump' for both of > > the affected providers. You can obscure the 'Salt' and 'Master Key' > > portions if you so desire. > > > > I think there's a misunderstanding. > > I merely want to attach the GELI created by the 11.1 installer to a > newly installed 11.3 system. > > MfG CoCo > > _______________________________________________ > freebsd-geom@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@freebsd.org" > From owner-freebsd-geom@freebsd.org Mon Aug 19 01:55:17 2019 Return-Path: Delivered-To: freebsd-geom@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 05F46D5EED for ; Mon, 19 Aug 2019 01:55:17 +0000 (UTC) (envelope-from coco@executive-computing.de) Received: from mail.moehre.org (mail.moehre.org [195.96.35.7]) by mx1.freebsd.org (Postfix) with ESMTP id 46BcSg6Pwsz4C3s for ; Mon, 19 Aug 2019 01:55:15 +0000 (UTC) (envelope-from coco@executive-computing.de) Received: from mail.moehre.org (unknown [195.96.35.7]) by mail.moehre.org (Postfix) with ESMTP id 05433385B4 for ; Mon, 19 Aug 2019 03:55:14 +0200 (CEST) X-Spam-Flag: NO X-Spam-Score: -100.941 X-Spam-Level: X-Spam-Status: No, score=-100.941 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1, AWL=0.059, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mail.moehre.org ([195.96.35.7]) by mail.moehre.org (mail.moehre.org [195.96.35.7]) (amavisd-new, port 10024) with ESMTP id uz0sG7Dt14bY for ; Mon, 19 Aug 2019 03:55:12 +0200 (CEST) Received: from localhost (p5B2F1337.dip0.t-ipconnect.de [91.47.19.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: coco@executive-computing.de) by mail.moehre.org (Postfix) with ESMTPSA id 976E1385AD for ; Mon, 19 Aug 2019 03:55:12 +0200 (CEST) Date: Mon, 19 Aug 2019 03:55:09 +0200 From: Marco Steinbach To: freebsd-geom@freebsd.org Subject: Re: 11.3: GELI attach: Wrong key despite correct passphrase Message-ID: <20190819035509.00007d37@executive-computing.de> In-Reply-To: References: <20190818154602.00003fa8@executive-computing.de> <96f3e2f5-ab4c-19c9-2f68-e42bb0e8aab4@cyberleo.net> <20190818210531.00006ffa@executive-computing.de> X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-w64-mingw32) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 46BcSg6Pwsz4C3s X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of coco@executive-computing.de designates 195.96.35.7 as permitted sender) smtp.mailfrom=coco@executive-computing.de X-Spamd-Result: default: False [-6.41 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-geom@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[executive-computing.de]; NEURAL_HAM_SHORT(-0.99)[-0.992,0]; IP_SCORE(-3.22)[ip: (-8.47), ipnet: 195.96.32.0/19(-4.24), asn: 8354(-3.39), country: DE(-0.01)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8354, ipnet:195.96.32.0/19, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[55.19.47.91.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10] X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Aug 2019 01:55:17 -0000 On Mon, 19 Aug 2019 06:27:34 +0800 Ben Woods wrote: > On Mon, 19 Aug 2019 at 3:05 am, Marco Steinbach > wrote: >=20 > > On Sun, 18 Aug 2019 10:20:51 -0500 > > CyberLeo Kitsana wrote: > > =20 > > > On 8/18/19 8:46 AM, Marco Steinbach wrote: =20 > > > > Hi. > > > > > > > > I have two bootable SSDs, both installed using a GELI encrypted > > > > root on ZFS. =20 > > > > > > > > > =20 > > > > I've then imported the bootpool from da0, and mounted it, so I > > > > can try using the key in boot/ > > > > > > > > root@bsdbuch:~ # geli attach > > > > -k /bootpool/boot/ada0p5.eli /dev/da0p5 Enter passphrase: > > > > geli: Wrong key for da0p5. =20 > > > > > > Did you intend on combining both a keyfile AND a passphrase here? > > > If not, include the -p option to instruct geli to avoid asking > > > for a passphrase to mix in. > > > > > > It might also help to include the output of 'geli dump' for both > > > of the affected providers. You can obscure the 'Salt' and 'Master > > > Key' portions if you so desire. > > > =20 > > > > I think there's a misunderstanding. > > > > I merely want to attach the GELI created by the 11.1 installer to a > > newly installed 11.3 system. > > > > MfG CoCo =20 >=20 >=20 > Indeed, but what secrets do you need to provide to decrypt the geli > providers (passphrase, passfile, keyfile)? The command above will use > both a keyfile and prompt for a passphrase - was this your intention? >=20 > The =E2=80=9Cattach=E2=80=9D section of this manpage has more details if = required: >=20 > https://man.freebsd.org/geli >=20 What secrets do I need to provide, if I installed a root on ZFS on top of GELI using the FreeBSD installer (no manual intervention, really just what the installer offered) on the 11.1-RELEASE memstick, if I want to attach that provider to an 11.3-RELEASE system ? As I wrote, I have two SSDs both installed using the FreeBSD installer using root on ZFS on top of GELI. One was installed using the 11.1-RELEASE memstick, the other was installed using the 11.3-RELEASE memstick. I can attach the 11.3-RELEASE from the 11.1-RELEASE (just doing 'geli attach /dev/da0p5), but not vice versa. Both use the same passphrase, and both boot using this same passphrase. Since GELI on the 11.3-RELEASE system told me 'geli: wrong key for da0p5' when trying to attach the 11.1-RELEASE GELI provider, I tried using the keyfile generated by the 11.1-RELEASE installer in conjunction with the passphrase. That also failed. MfG CoCo From owner-freebsd-geom@freebsd.org Mon Aug 19 03:08:30 2019 Return-Path: Delivered-To: freebsd-geom@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 941EBD6D7E for ; Mon, 19 Aug 2019 03:08:30 +0000 (UTC) (envelope-from coco@executive-computing.de) Received: from mail.moehre.org (mail.moehre.org [195.96.35.7]) by mx1.freebsd.org (Postfix) with ESMTP id 46Bf595s0dz4Fbk for ; Mon, 19 Aug 2019 03:08:29 +0000 (UTC) (envelope-from coco@executive-computing.de) Received: from mail.moehre.org (unknown [195.96.35.7]) by mail.moehre.org (Postfix) with ESMTP id DB29D38EFE; Mon, 19 Aug 2019 05:08:28 +0200 (CEST) X-Spam-Flag: NO X-Spam-Score: -100.935 X-Spam-Level: X-Spam-Status: No, score=-100.935 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1, AWL=0.065, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mail.moehre.org ([195.96.35.7]) by mail.moehre.org (mail.moehre.org [195.96.35.7]) (amavisd-new, port 10024) with ESMTP id 9KBobyJYQkeD; Mon, 19 Aug 2019 05:08:28 +0200 (CEST) Received: from localhost (p5B2F1337.dip0.t-ipconnect.de [91.47.19.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: coco@executive-computing.de) by mail.moehre.org (Postfix) with ESMTPSA id 06FDD38EF2; Mon, 19 Aug 2019 05:08:27 +0200 (CEST) Date: Mon, 19 Aug 2019 05:08:26 +0200 From: Marco Steinbach To: freebsd-geom@freebsd.org Cc: Alaksiej , CyberLeo Kitsana , Ben Woods Subject: Re: 11.3: GELI attach: Wrong key despite correct passphrase (SOLVED) Message-ID: <20190819050826.00002d83@executive-computing.de> In-Reply-To: <20190819035509.00007d37@executive-computing.de> References: <20190818154602.00003fa8@executive-computing.de> <96f3e2f5-ab4c-19c9-2f68-e42bb0e8aab4@cyberleo.net> <20190818210531.00006ffa@executive-computing.de> <20190819035509.00007d37@executive-computing.de> X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-w64-mingw32) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 46Bf595s0dz4Fbk X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of coco@executive-computing.de designates 195.96.35.7 as permitted sender) smtp.mailfrom=coco@executive-computing.de X-Spamd-Result: default: False [-6.42 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[executive-computing.de]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.990,0]; IP_SCORE(-3.23)[ip: (-8.50), ipnet: 195.96.32.0/19(-4.25), asn: 8354(-3.40), country: DE(-0.01)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8354, ipnet:195.96.32.0/19, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[55.19.47.91.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10] X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Aug 2019 03:08:30 -0000 On Mon, 19 Aug 2019 03:55:09 +0200 Marco Steinbach wrote: > On Mon, 19 Aug 2019 06:27:34 +0800 > Ben Woods wrote: >=20 > > On Mon, 19 Aug 2019 at 3:05 am, Marco Steinbach > > wrote: > > =20 > > > On Sun, 18 Aug 2019 10:20:51 -0500 > > > CyberLeo Kitsana wrote: > > > =20 > > > > On 8/18/19 8:46 AM, Marco Steinbach wrote: =20 > > > > > Hi. > > > > > > > > > > I have two bootable SSDs, both installed using a GELI > > > > > encrypted root on ZFS. =20 > > > > > > > > > > > > =20 > > > > > I've then imported the bootpool from da0, and mounted it, so I > > > > > can try using the key in boot/ > > > > > > > > > > root@bsdbuch:~ # geli attach > > > > > -k /bootpool/boot/ada0p5.eli /dev/da0p5 Enter passphrase: > > > > > geli: Wrong key for da0p5. =20 > > > > > > > > Did you intend on combining both a keyfile AND a passphrase > > > > here? If not, include the -p option to instruct geli to avoid > > > > asking for a passphrase to mix in. > > > > > > > > It might also help to include the output of 'geli dump' for both > > > > of the affected providers. You can obscure the 'Salt' and > > > > 'Master Key' portions if you so desire. > > > > =20 > > > > > > I think there's a misunderstanding. > > > > > > I merely want to attach the GELI created by the 11.1 installer to > > > a newly installed 11.3 system. > > > > > > MfG CoCo =20 > >=20 > >=20 > > Indeed, but what secrets do you need to provide to decrypt the geli > > providers (passphrase, passfile, keyfile)? The command above will > > use both a keyfile and prompt for a passphrase - was this your > > intention? > >=20 > > The =E2=80=9Cattach=E2=80=9D section of this manpage has more details i= f required: > >=20 > > https://man.freebsd.org/geli > > =20 >=20 > What secrets do I need to provide, if I installed a root on ZFS on top > of GELI using the FreeBSD installer (no manual intervention, really > just what the installer offered) on the 11.1-RELEASE memstick, > if I want to attach that provider to an 11.3-RELEASE system ? >=20 > As I wrote, I have two SSDs both installed using the FreeBSD installer > using root on ZFS on top of GELI. One was installed using the > 11.1-RELEASE memstick, the other was installed using the 11.3-RELEASE > memstick. >=20 > I can attach the 11.3-RELEASE from the 11.1-RELEASE (just doing 'geli > attach /dev/da0p5), but not vice versa. Both use the same passphrase, > and both boot using this same passphrase. >=20 > Since GELI on the 11.3-RELEASE system told me 'geli: wrong key for > da0p5' when trying to attach the 11.1-RELEASE GELI provider, I tried > using the keyfile generated by the 11.1-RELEASE installer in > conjunction with the passphrase. That also failed. Hi. I now have successfully tested cross-attaching the 11.1/11.3 GELI providers using their respective keyfiles and the passphrase. It's still beyond me, why I was able to simply attach the GELI provider on the external USB drive created in 11.3 just using the passphrase, when 11.1 was booted, but not vice versa (with 11.3 booted internally, and 11.1 in the external enclosure). In all my tries, I allways plugged in the external drive after the system was fully up. Thank you all for your suggestions and hints -- that was quite an informative lesson. MfG CoCo