Date: Thu, 25 Oct 2018 18:06:30 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: "Michael .." <mikey@usa.com> Cc: freebsd-geom@freebsd.org Subject: Re: GELI without passphrase on ZFS root Message-ID: <20181026010630.GD75530@funkthat.com> In-Reply-To: <trinity-1e9f4851-d935-4fd2-b2af-d362644295eb-1540463114302@3c-app-mailcom-lxa11> References: <trinity-1e9f4851-d935-4fd2-b2af-d362644295eb-1540463114302@3c-app-mailcom-lxa11>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael .. wrote this message on Thu, Oct 25, 2018 at 12:25 +0200: > Has anyone been able to achieve this? > > I installed FreeBSD 11.2 using AutoZFS option with encryption turned on. Passphrase is specified as part of install. > > I want to switch to only a keyfile and no passphrase: > > geli setkey -K /boot/encryption.key -P /dev/xyz If this is on your ZFS root that is encrypted w/ the key file, how do you expect to be able to boot the system when the keyfile you need to decrypt is encrypted? > This completes, but I'm still prompted for passphrase on boot. Nothing appears accepted by the prompt (as the userkey is using only keyfile now?) > > Setting geom_eli_passphrase_prompt="NO" doesn't help. Well, the default boot I believe can only handle passphrase. You can look at this instructions on booting from a USB drive which can contain the key file: https://forums.freebsd.org/threads/zfs-boot-from-usb.45880/ I don't think zfsboot (which is needed for ZFS root booting) can handle key files, because it needs to get the key file from somewhere, and it is a very small binary, and so does not have the space to load it from other drives... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181026010630.GD75530>