Date: Fri, 26 Oct 2018 22:33:02 +0300 From: Alaksiej <ac@belngo.info> Cc: freebsd-geom <freebsd-geom@freebsd.org> Subject: Re: GELI without passphrase on ZFS root Message-ID: <CAHsZcQFLiq7=mQtFp6c=2RAAH0eM0rFFFrDnynP2mW%2BggN5tvg@mail.gmail.com> In-Reply-To: <trinity-1f628aee-bf72-439d-9197-cec358b3acaf-1540547684747@3c-app-mailcom-lxa10> References: <trinity-1e9f4851-d935-4fd2-b2af-d362644295eb-1540463114302@3c-app-mailcom-lxa11> <20181026010630.GD75530@funkthat.com> <trinity-1f628aee-bf72-439d-9197-cec358b3acaf-1540547684747@3c-app-mailcom-lxa10>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael, I very rarely use installer, so can be wrong, but I have glanced at how it works with 11.2, and it seems to me it doesn't make unencrypted /boot with Auto ZFS option. So it means you did something manually, right? What exactly? What is inside your loader.conf? What do you see exactly on your screen when OS refuses to proceed with loading? Leave no place for guessing, please. On Fri, Oct 26, 2018 at 12:55 PM Michael .. <mikey@usa.com> wrote: > I can boot using passphrase *and* keyfile encrypted userkey. The keyfile > is accessible on /boot/ unencrypted. (realise this is in no way "secure" > but proves keyfile is accessible) i.e: > > geli setkey -K /boot/encryption.key /dev/xyz > (prompted for new passphrase) > > Able to reboot correctly by entering new passphrase. > > The problem is as soon as I update the userkey to be without the > passphrase component, it is still requested during boot and then obviously > there is no correct entry. i.e. > > geli setkey -K /boot/encryption.key -P /dev/xyz > (no passphrase prompt due to -P) > > Passphrase is still requested during boot and cannot proceed. > > I tried "geli configure -B /dev/xyz" as suggested by Alaksiej, there is no > prompt for passphrase but booting breaks at mountroot (I guess because the > "boot" flag has been removed?). > > Is this a bug in that geom_eli does not try to decrypt using just keyfile > before prompting user for passphrase? > > Regards, > > Michael. > > Sent: Friday, October 26, 2018 at 2:06 AM > From: "John-Mark Gurney" <jmg@funkthat.com> > To: "Michael .." <mikey@usa.com> > Cc: freebsd-geom@freebsd.org > Subject: Re: GELI without passphrase on ZFS root > Michael .. wrote this message on Thu, Oct 25, 2018 at 12:25 +0200: > > Has anyone been able to achieve this? > > > > I installed FreeBSD 11.2 using AutoZFS option with encryption turned > on. Passphrase is specified as part of install. > > > > I want to switch to only a keyfile and no passphrase: > > > > geli setkey -K /boot/encryption.key -P /dev/xyz > > If this is on your ZFS root that is encrypted w/ the key file, how do > you expect to be able to boot the system when the keyfile you need to > decrypt is encrypted? > > > This completes, but I'm still prompted for passphrase on boot. Nothing > appears accepted by the prompt (as the userkey is using only keyfile now?) > > > > Setting geom_eli_passphrase_prompt="NO" doesn't help. > > Well, the default boot I believe can only handle passphrase. > > You can look at this instructions on booting from a USB drive which can > contain the key file: > https://forums.freebsd.org/threads/zfs-boot-from-usb.45880/ > > I don't think zfsboot (which is needed for ZFS root booting) can handle > key files, because it needs to get the key file from somewhere, and it > is a very small binary, and so does not have the space to load it from > other drives... > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." > _______________________________________________ > freebsd-geom@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHsZcQFLiq7=mQtFp6c=2RAAH0eM0rFFFrDnynP2mW%2BggN5tvg>