From nobody Sun Jan 9 10:23:39 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A6FB1193938F for ; Sun, 9 Jan 2022 10:23:49 +0000 (UTC) (envelope-from 4250.82.1d4d80000ab5114.7cdc6b5162845a6928b2bfc187693693@email-od.com) Received: from s1-b0c6.socketlabs.email-od.com (s1-b0c6.socketlabs.email-od.com [142.0.176.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JWtN5454dz4XZ4 for ; Sun, 9 Jan 2022 10:23:49 +0000 (UTC) (envelope-from 4250.82.1d4d80000ab5114.7cdc6b5162845a6928b2bfc187693693@email-od.com) DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim; c=relaxed/relaxed; q=dns/txt; t=1641723830; x=1644315830; h=content-transfer-encoding:content-type:mime-version:references:in-reply-to:message-id:subject:cc:to:from:date:x-thread-info; bh=uCzPTgwM6PLSjIDqftnoI6XOz09RWL3HpkvHeJrZloY=; b=IyheZAsP1W4Vg+BzmW7rLzxvZ8tHAjsy8KrUSzXqSiyW6Z7ec3f46gCkPGo7RJELgOgL6l9Cz2HM6V2JbQMy6ssgmw+xMeCcCSaMW1HG1XGFWLf4IheE0huyS3+UiStu7mC64sQSdpQe5ToiEaNm1KAaeDYtjOsXd4NZtY6stZE= X-Thread-Info: NDI1MC4xMi4xZDRkODAwMDBhYjUxMTQuZnJlZWJzZC1xdWVzdGlvbnM9ZnJlZWJzZC5vcmc= Received: from r3.h.in.socketlabs.com (r3.h.in.socketlabs.com [142.0.180.13]) by mxsg2.email-od.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Sun, 9 Jan 2022 05:23:41 -0500 Received: from smtp.lan.sohara.org (EMTPY [185.202.17.215]) by r3.h.in.socketlabs.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Sun, 9 Jan 2022 05:23:40 -0500 Received: from [192.168.63.1] (helo=steve.lan.sohara.org) by smtp.lan.sohara.org with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n6VMR-000Jzm-6r; Sun, 09 Jan 2022 10:23:39 +0000 Date: Sun, 9 Jan 2022 10:23:39 +0000 From: Steve O'Hara-Smith To: Taceant Omnes Cc: freebsd-questions@freebsd.org Subject: Re: entering geli passphrase only once at FreeBSD boot Message-Id: <20220109102339.45932ef6cf6f42daa3a1871d@sohara.org> In-Reply-To: References: X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd13.0) X-Clacks-Overhead: "GNU Terry Pratchett" List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4JWtN5454dz4XZ4 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N On Sun, 9 Jan 2022 10:00:51 +0000 Taceant Omnes wrote: > Is there a way to enter the passphrase only once in FreeBSD that does > not involve storing it in a file? My solution was to log in after boot and run a script - less than elegant but possible to do remotely if I was away during a power outage (happened once). I've since given up on using encrypted drives, after a scare when one drive became inaccessible after an outage due to geli errors. Another option would be to run something in rc.local that disables getty on the console and uses /dev/ttyv0 directly which forces it to be done by someone with physical access. A very flashy (pun intended) option would be to put the key on a USB stick and do some devd magic to spot it and do the necessary before talking out of the speaker. -- Steve O'Hara-Smith