Date: Fri, 26 Oct 2018 11:54:44 +0200 From: "Michael .." <mikey@usa.com> To: "John-Mark Gurney" <jmg@funkthat.com> Cc: freebsd-geom@freebsd.org Subject: Re: GELI without passphrase on ZFS root Message-ID: <trinity-1f628aee-bf72-439d-9197-cec358b3acaf-1540547684747@3c-app-mailcom-lxa10> In-Reply-To: <20181026010630.GD75530@funkthat.com> References: <trinity-1e9f4851-d935-4fd2-b2af-d362644295eb-1540463114302@3c-app-mailcom-lxa11> <20181026010630.GD75530@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I can boot using passphrase *and* keyfile encrypted userkey=2E The keyfile= is accessible on /boot/ unencrypted=2E (realise this is in no way "secure"= but proves keyfile is accessible) i=2Ee: geli setkey -K /boot/encryption=2Ekey /dev/xyz (prompted for new passphrase) Able to reboot correctly by entering new passphrase=2E The problem is as soon as I update the userkey to be without the passphras= e component, it is still requested during boot and then obviously there is = no correct entry=2E i=2Ee=2E geli setkey -K /boot/encryption=2Ekey -P /dev/xyz (no passphrase prompt due to -P) Passphrase is still requested during boot and cannot proceed=2E I tried "geli configure -B /dev/xyz" as suggested by Alaksiej, there is no= prompt for passphrase but booting breaks at mountroot (I guess because the= "boot" flag has been removed?)=2E Is this a bug in that geom_eli does not try to decrypt using just keyfile = before prompting user for passphrase? Regards, Michael=2E Sent:=C2=A0Friday, October 26, 2018 at 2:06 AM From:=C2=A0"John-Mark Gurney" <jmg@funkthat=2Ecom> To:=C2=A0"Michael =2E=2E" <mikey@usa=2Ecom> Cc:=C2=A0freebsd-geom@freebsd=2Eorg Subject:=C2=A0Re: GELI without passphrase on ZFS root Michael =2E=2E wrote this message on Thu, Oct 25, 2018 at 12:25 +0200: > Has anyone been able to achieve this? > =C2=A0 > I installed FreeBSD 11=2E2 using AutoZFS option with encryption turned o= n=2E=C2=A0 Passphrase is specified as part of install=2E > =C2=A0 > I want to switch to only a keyfile and no passphrase: > =C2=A0 > geli setkey -K /boot/encryption=2Ekey -P /dev/xyz If this is on your ZFS root that is encrypted w/ the key file, how do you expect to be able to boot the system when the keyfile you need to decrypt is encrypted? > This completes, but I'm still prompted for passphrase on boot=2E=C2=A0 N= othing appears accepted by the prompt (as the userkey is using only keyfile= now?) > =C2=A0 > Setting geom_eli_passphrase_prompt=3D"NO" doesn't help=2E Well, the default boot I believe can only handle passphrase=2E You can look at this instructions on booting from a USB drive which can contain the key file: https://forums=2Efreebsd=2Eorg/threads/zfs-boot-from-usb=2E45880/ I don't think zfsboot (which is needed for ZFS root booting) can handle key files, because it needs to get the key file from somewhere, and it is a very small binary, and so does not have the space to load it from other drives=2E=2E=2E -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not=2E"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?trinity-1f628aee-bf72-439d-9197-cec358b3acaf-1540547684747>