Date: Fri, 6 May 2016 10:36:42 -0400 From: Allan Jude <allanjude@freebsd.org> To: freebsd-current@freebsd.org Subject: Re: GELI Passphrase for disk0p4 on BTX loader - Bad GELI key: -1 with correct passphrase Message-ID: <572CABFA.5000105@freebsd.org> In-Reply-To: <CADGo8CXVdRa1BbFsbJ%2BQ0uoyhiz0aZyWVpnnPcMPB1kW2AfYTA@mail.gmail.com> References: <CADGo8CXVdRa1BbFsbJ%2BQ0uoyhiz0aZyWVpnnPcMPB1kW2AfYTA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --bPjaJL7Wn4mDnFbh3EdghWB5qRpfGGAgv Content-Type: multipart/mixed; boundary="50ueFESxvHEkcGiBxC4xWDGO3mMq1e66J" From: Allan Jude <allanjude@freebsd.org> To: freebsd-current@freebsd.org Message-ID: <572CABFA.5000105@freebsd.org> Subject: Re: GELI Passphrase for disk0p4 on BTX loader - Bad GELI key: -1 with correct passphrase References: <CADGo8CXVdRa1BbFsbJ+Q0uoyhiz0aZyWVpnnPcMPB1kW2AfYTA@mail.gmail.com> In-Reply-To: <CADGo8CXVdRa1BbFsbJ+Q0uoyhiz0aZyWVpnnPcMPB1kW2AfYTA@mail.gmail.com> --50ueFESxvHEkcGiBxC4xWDGO3mMq1e66J Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016-05-06 07:38, Miguel C wrote: > Hi, >=20 > In recent current build BTX loader now prompts for a geli passphrase, b= ut > typing the correct passphrase always fails. It is not the BTX loader, but 'boot2' (gptzfsboot) >=20 > After the 2 trys I get to the next part where loader.conf is loaded and= I > am prompted again for a GELI Passphrase (I have geom_eli_passphrase_pro= mpt > set to "YES") this is the one that's saved to be used later and it does= > work. >=20 > The main diference seems to be the first one is trying to decrypt disk0= p4, > while the other is doing it for "ada0p4" which should mean the same thi= ng > for geli (I think) but they are not. This is because device names have not been assigned yet >=20 > I've misstyped the passphrase on purpose in the second prompt and let i= t do > the normal boot until it tries to attach the devices and ask for a > passphrase for ada0p4, should like the "old days" and if I fail here 3 > times it then swtichs to "disk0p4" or "DISKIDblahblah" and all of this = fail > with a correct passphrase. >=20 > I've uses FreeBSD installer with ZFS + GELI to do this and it seems gel= i > only knows how to decrypt "ada0..." but nothing else, probably due to h= ow > its was created, or maybe its by design... >=20 > Anyway for me it works great if I get asked the passphrase when loader.= conf > quicks in, and use it later. >=20 > But I am curious about the BTX loader prompt... even if it did work for= > disk0p4 how will it load the keyfile? I can type the passphrase but it > wouldn't know about the keyfile or be able to access it. >=20 It does not currently support loading key files, and that is why it did not work. This change was committed a while ago, and has since been protected behind a new GELI flag, so you have to specifically turn this feature (prompting for the passphrase in gptzfsboot, which allows you to boot without having to have an unencrypted /boot) on. If you upload your source to a more recent -current, and install that version of gptzfsboot and /boot/zfsloader, this should stop happening to you. In the future, the plan is for gptzfsboot to support loading your key file from a new dedicated partition type, freebsd-gelikey > Thanks > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o= rg" >=20 --=20 Allan Jude --50ueFESxvHEkcGiBxC4xWDGO3mMq1e66J-- --bPjaJL7Wn4mDnFbh3EdghWB5qRpfGGAgv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJXLKv+AAoJEBmVNT4SmAt+aEkQALzrRLYRQasmsOjY/kZePFco /Cfq7FVOWeR1cmOXqeBdIGJ4sLvdkwEKN6FPaM25givsHd0FNIQfvryaSkqZxro+ Qi+9QFlIJV1JSZJw4KqvoQwspJDQWgteKk/i8VOC4wdqIIT3OUkhNoc53+DKwf7u JkjYal+ZfnbX1gimFeBUTMAmBgGuCJ5q5xskaufQfB9XhJhpEG10XbmCWUhjgjbB 2iL6LtsjRYcF9kO+unSAi6V3+yf+hp1dyhYb8zaFEHKGnwmFrffABtl6bdHfVAsa L1isz9l+HZczCL4GG4johq2UPwvA4jc4/v69cKPh2KGs3jpjYtThup3ejf4us0cW VwHdKlxMYEQJYhHFQS9DLrUvxKUxtC0oNVhynReRicxoQSriKWYbcaHDqP3w27ro 1idU5gt3Cr0ZH8+Qvhs3TuvrKPttCYJbhv8FgAtuxGbG6d7dqdz9tspy1OGzuZuZ VZVn4wd0Hb2r/ek419i00GU5G9KGAHE1rGAzYyk4ZjzsRebfWPav6dmEtLauCmvZ y270b8j2n3LhEyNKkatsDUE2ImSKrgC5IvV0HR880xMSHntnOIbMuGjOwou1M0wX XofBezf3Fh9sCUJ/aBGjxz00jKgbTAzTKN5Ee7dNeliLHFRu9U7ez9x8oXsnbuof Ph5D3VmQoM7aaTgk1keV =zx6x -----END PGP SIGNATURE----- --bPjaJL7Wn4mDnFbh3EdghWB5qRpfGGAgv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?572CABFA.5000105>