Date: Fri, 26 Oct 2018 11:54:44 +0200 From: "Michael .." <mikey@usa.com> To: "John-Mark Gurney" <jmg@funkthat.com> Cc: freebsd-geom@freebsd.org Subject: Re: GELI without passphrase on ZFS root Message-ID: <trinity-1f628aee-bf72-439d-9197-cec358b3acaf-1540547684747@3c-app-mailcom-lxa10> In-Reply-To: <20181026010630.GD75530@funkthat.com> References: <trinity-1e9f4851-d935-4fd2-b2af-d362644295eb-1540463114302@3c-app-mailcom-lxa11> <20181026010630.GD75530@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I can boot using passphrase *and* keyfile encrypted userkey. The keyfile is accessible on /boot/ unencrypted. (realise this is in no way "secure" but proves keyfile is accessible) i.e: geli setkey -K /boot/encryption.key /dev/xyz (prompted for new passphrase) Able to reboot correctly by entering new passphrase. The problem is as soon as I update the userkey to be without the passphrase component, it is still requested during boot and then obviously there is no correct entry. i.e. geli setkey -K /boot/encryption.key -P /dev/xyz (no passphrase prompt due to -P) Passphrase is still requested during boot and cannot proceed. I tried "geli configure -B /dev/xyz" as suggested by Alaksiej, there is no prompt for passphrase but booting breaks at mountroot (I guess because the "boot" flag has been removed?). Is this a bug in that geom_eli does not try to decrypt using just keyfile before prompting user for passphrase? Regards, Michael. Sent: Friday, October 26, 2018 at 2:06 AM From: "John-Mark Gurney" <jmg@funkthat.com> To: "Michael .." <mikey@usa.com> Cc: freebsd-geom@freebsd.org Subject: Re: GELI without passphrase on ZFS root Michael .. wrote this message on Thu, Oct 25, 2018 at 12:25 +0200: > Has anyone been able to achieve this? > > I installed FreeBSD 11.2 using AutoZFS option with encryption turned on. Passphrase is specified as part of install. > > I want to switch to only a keyfile and no passphrase: > > geli setkey -K /boot/encryption.key -P /dev/xyz If this is on your ZFS root that is encrypted w/ the key file, how do you expect to be able to boot the system when the keyfile you need to decrypt is encrypted? > This completes, but I'm still prompted for passphrase on boot. Nothing appears accepted by the prompt (as the userkey is using only keyfile now?) > > Setting geom_eli_passphrase_prompt="NO" doesn't help. Well, the default boot I believe can only handle passphrase. You can look at this instructions on booting from a USB drive which can contain the key file: https://forums.freebsd.org/threads/zfs-boot-from-usb.45880/ I don't think zfsboot (which is needed for ZFS root booting) can handle key files, because it needs to get the key file from somewhere, and it is a very small binary, and so does not have the space to load it from other drives... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?trinity-1f628aee-bf72-439d-9197-cec358b3acaf-1540547684747>