From owner-freebsd-questions@freebsd.org  Tue Sep 27 14:28:27 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65635BECA24
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Tue, 27 Sep 2016 14:28:27 +0000 (UTC)
 (envelope-from freebsd-listen@fabiankeil.de)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de
 [80.67.18.14])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 299BFC6D
 for <freebsd-questions@freebsd.org>; Tue, 27 Sep 2016 14:28:26 +0000 (UTC)
 (envelope-from freebsd-listen@fabiankeil.de)
Received: from [78.35.139.249] (helo=fabiankeil.de)
 by smtprelay02.ispgateway.de with esmtpsa (TLSv1.2:AES256-GCM-SHA384:256)
 (Exim 4.84) (envelope-from <freebsd-listen@fabiankeil.de>)
 id 1botEu-00068A-Ep; Tue, 27 Sep 2016 16:20:08 +0200
Date: Tue, 27 Sep 2016 16:16:13 +0200
From: Fabian Keil <freebsd-listen@fabiankeil.de>
To: Shamim Shahriar <shamim.shahriar@gmail.com>
Cc: "freebsd-questions@FreeBSD.org" <freebsd-questions@freebsd.org>
Subject: Re: geli setkey n 1 anomaly :: or am I missing something
Message-ID: <20160927161613.38d87336@fabiankeil.de>
In-Reply-To: <CAOyJeZS38K5tHMhqu-q8rBZ+Y43dJmCkgdqVLKbqmLx_R8xcEg@mail.gmail.com>
References: <CAOyJeZTv6pawc4Uggk7bNb1ATa0mS-usw_c4G=5qW-n-Vqv8VQ@mail.gmail.com>
 <CAOyJeZS38K5tHMhqu-q8rBZ+Y43dJmCkgdqVLKbqmLx_R8xcEg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 boundary="Sig_/yrD0Xdw4MuNNrfYUwRvVyng"; protocol="application/pgp-signature"
X-Df-Sender: Nzc1MDY3
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2016 14:28:27 -0000

--Sig_/yrD0Xdw4MuNNrfYUwRvVyng
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Shamim Shahriar <shamim.shahriar@gmail.com> wrote:

> Good afternoon all, I am having some difficulty with geli. I am trying to
> set up an encrypted provider for my users, using the setkey feature, but =
it
> is not working.
>=20
> system: FreeBSD 11-RC3
>=20
> from the man page
>      Create an encrypted provider, but use two User Keys: one for your
>      employee and one for you as the company's security officer (so it is
> not
>      a tragedy if the employee "accidentally" forgets his passphrase):
>=20
>            # geli init /dev/da2
>            Enter new passphrase:   (enter security officer's passphrase)
>            Reenter new passphrase:
>            # geli setkey -n 1 /dev/da2
>            Enter passphrase:       (enter security officer's passphrase)
>            Enter new passphrase:   (let your employee enter his passphrase
> ...)
>            Reenter new passphrase: (... twice)
>=20
> Following this path, I have encrypted a provider, ada0p4
>=20
> # geli init -e aes-xts -l 256 -K geli.key /dev/ada0p4
>=20
> Enter new passphrase:   # I enter my passphrase
> Reenter new passphrase: # I re-enter my passphrase
>=20
> all is good.
>=20
> Now, I am trying to set up the passphrase for the colleague
> # geli setkey n 1 -k geli.key /dev/ada0p4
> Enter passphrase:       # entered my passphrase
> Enter new passphrase:   # entered colleague's passphrase
> Reenter new passphrase: # re-entered colleague's passphrase

You probably meant to add "-K geli.key" to also
use a keyfile for the second slot.

> As I try to attach using colleague's passphrase, I get a Wrong key error.
> My key works fine.
>=20
> # geli attach -k geli.key /dev/ada0p4
> Enter passphrase:   # I put colleague's passphrase
> Wrong key

This is expected as no keyfile has been configured
for the second slot.

Fabian

--Sig_/yrD0Xdw4MuNNrfYUwRvVyng
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlfqfy4ACgkQBYqIVf93VJ35HwCgi2sCeKCzGV3kTvuYFpoHkdON
DDAAnRnuiABdcHi8n7d6UePscHpT1/+N
=f+P4
-----END PGP SIGNATURE-----

--Sig_/yrD0Xdw4MuNNrfYUwRvVyng--