From owner-freebsd-current@freebsd.org Fri May 6 15:07:03 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B2E5B319C8 for ; Fri, 6 May 2016 15:07:03 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F348D1DD5; Fri, 6 May 2016 15:07:02 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: by mail-lf0-x229.google.com with SMTP id u64so135077120lff.3; Fri, 06 May 2016 08:07:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=n0So1osqZKTO9mmVW7Rgg4Z6Rbow2bEKPb1QLI2syjA=; b=TjCRlOCX8B+y3eolLyOiCzu9KVesp/lpWu0gnMjsW0Rk8pCQU5Yjq0/HrUzKH/+in5 WJWHRQC2OLHKYzQXUNclViMEnvy/Y1fT6AvQ/WqrUYMmfdKInyI1vkqy8135z09ymgrf cgA1RKRWYEVKqNes7Pgwhz7k4MZs2cyqVxrnIGfalojMX81WIHde+OqbmWRYTjY3Im4k kn9Dv11Rr4gGJ9UZ5iZnP+Jioaq6VocA43VmsIbEpAnk2SCzX6X+C58Bbp2h7QDCF6cR qZUxTvNZM+WFm0e8t8HbX2kmDHLIecXPssJK9tuiTW+KdA0iW+dzaDUFnAK57rkTclOy Q5OA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=n0So1osqZKTO9mmVW7Rgg4Z6Rbow2bEKPb1QLI2syjA=; b=NXH6UQ/9DE4exW6qRsrHhDAiSQ0mvrEk4IFl6+QpTFDFYJJnuEiIIzKuYIQuAWEFeR jJt5ZuXxtZKzYTeaq29PRDmm3Q5kyXCyclSByUz3Z8AAdbyL+4i5pathdHhm6acoh2q7 OcVuygijeu2ISlGSK7XY2LhKB7XLntebqqMiQgAfWROzUeKk8zEC1Gc19A9tofCC0jcM NYtJPE6k56AqnFpjRaPWgXmhxt/RPMtsq1xVJqQmy9G9PHcYK7ql0RXo3YIGwA6jyoTy ySsQrpnSYMOsDBAoOf2tCJqW+3QJ6YPsRXLMHmcJ0tfWmA9FYxWQiMgIa2EL4ZuKXGZq TNXA== X-Gm-Message-State: AOPr4FWJAkuBQwvuiqbi6DfihtcBep7/LotsY5OqNNGTyNpKpFMw0vlynJs3DgtZlUgjzjqKBvtj4E15zlSzvg== X-Received: by 10.25.207.131 with SMTP id f125mr10617474lfg.62.1462547220960; Fri, 06 May 2016 08:07:00 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.15.213 with HTTP; Fri, 6 May 2016 08:06:21 -0700 (PDT) In-Reply-To: <572CABFA.5000105@freebsd.org> References: <572CABFA.5000105@freebsd.org> From: Miguel C Date: Fri, 6 May 2016 16:06:21 +0100 Message-ID: Subject: Re: GELI Passphrase for disk0p4 on BTX loader - Bad GELI key: -1 with correct passphrase To: Allan Jude Cc: freebsd-current Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 May 2016 15:07:03 -0000 On Fri, May 6, 2016 at 3:36 PM, Allan Jude wrote: > On 2016-05-06 07:38, Miguel C wrote: > > Hi, > > > > In recent current build BTX loader now prompts for a geli passphrase, but > > typing the correct passphrase always fails. > > It is not the BTX loader, but 'boot2' (gptzfsboot) > > > > > After the 2 trys I get to the next part where loader.conf is loaded and I > > am prompted again for a GELI Passphrase (I have > geom_eli_passphrase_prompt > > set to "YES") this is the one that's saved to be used later and it does > > work. > > > > The main diference seems to be the first one is trying to decrypt > disk0p4, > > while the other is doing it for "ada0p4" which should mean the same thing > > for geli (I think) but they are not. > > This is because device names have not been assigned yet > > > > > I've misstyped the passphrase on purpose in the second prompt and let it > do > > the normal boot until it tries to attach the devices and ask for a > > passphrase for ada0p4, should like the "old days" and if I fail here 3 > > times it then swtichs to "disk0p4" or "DISKIDblahblah" and all of this > fail > > with a correct passphrase. > > > > I've uses FreeBSD installer with ZFS + GELI to do this and it seems geli > > only knows how to decrypt "ada0..." but nothing else, probably due to how > > its was created, or maybe its by design... > > > > Anyway for me it works great if I get asked the passphrase when > loader.conf > > quicks in, and use it later. > > > > But I am curious about the BTX loader prompt... even if it did work for > > disk0p4 how will it load the keyfile? I can type the passphrase but it > > wouldn't know about the keyfile or be able to access it. > > > > It does not currently support loading key files, and that is why it did > not work. > > This change was committed a while ago, and has since been protected > behind a new GELI flag, so you have to specifically turn this feature > (prompting for the passphrase in gptzfsboot, which allows you to boot > without having to have an unencrypted /boot) on. > > If you upload your source to a more recent -current, and install that > version of gptzfsboot and /boot/zfsloader, this should stop happening to > you. > > In the future, the plan is for gptzfsboot to support loading your key > file from a new dedicated partition type, freebsd-gelikey > Cool, I had a "somewhat recent" source (March something), but I am now updating to the latest and I'll confirm the change after the kernel/world sync. That does sound like a a perfect solution, can't wait. > Thanks > > _______________________________________________ > > freebsd-current@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to " > freebsd-current-unsubscribe@freebsd.org" > > > > > -- > Allan Jude > >