From owner-freebsd-geom@freebsd.org Fri Oct 26 19:31:19 2018 Return-Path: Delivered-To: freebsd-geom@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD1A1108693F for ; Fri, 26 Oct 2018 19:31:18 +0000 (UTC) (envelope-from a@carniajeu.com) Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2F47F84919 for ; Fri, 26 Oct 2018 19:31:17 +0000 (UTC) (envelope-from a@carniajeu.com) Received: by mail-lf1-x131.google.com with SMTP id o2-v6so1729616lfl.13 for ; Fri, 26 Oct 2018 12:31:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=belngo-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:cc; bh=qjqefK6vzc6tHsTQisiPtAtHEDpQ/OPvthRCPcz7P+o=; b=TGX5MKcIUYGQTapvKOxVnu0ud0mDtG+H7/CM/Fk0rZNpsEsSLCQ70aRxxrnLUq2iCK wMUVfnJUd3G1RX61kjIvyjCCoxlWqyWU4g794KwRCwjoS3brMdt7XGiGXTjkDwI6pA2l JfINVTxwTbD7qzp5kYGdVTWHR+dtI+Mb8+eC3gQGACADddIXX/L1hgBJ3Rp96KjPV79z Wb3E3pyH5xX5ZlzA2g4G0EMG+8pxacxeepPjOc2DAHF+ig+0fCUutNCihtfDldAJ2u0l i2iKSjL+LRTYJ9jy6Fi5iSY8hLt7kK11JkYDBMKacucxkc5WVmhOwJKY+0s9NEq+hTrL wUWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:cc; bh=qjqefK6vzc6tHsTQisiPtAtHEDpQ/OPvthRCPcz7P+o=; b=L0qf36cVj5fFNpHfwqgerG4cOjZTkl2E1D/ONKcSExMdgkBJdN/rBtxlw1fW5E3aY7 hE0SSiCEatRVEELIbw+9zTU00w2+e0m4beuLk83kOTjqFUQ8kThAx3cVF0j9pknS+14F cL00MIR4YTDMDwu1XY9ZbPTti/KNuwQ/ciVb/4BZNBnyx9mmDSGgU5NnVvhq2HUpKg+/ 1BD2jKareJ17J7pTKNoOqEOLOWPJMFdBk6oUnjx/opfNS1BUZy+I0qKtOOK54kvbNCnH GLyd1IaSSM2qmbXYp+vaahpnFe3q48GROX0RSAf2F7o7qr8l9KMBlRc7/Q2jsvHK48lu VPSw== X-Gm-Message-State: AGRZ1gIcBdCq8IFx1xl3R+63A1RHWqKd1Fe1Gupb+WbtDRvWUqt5FFgF 6MpO8JXLSO95uxtq9SzLCOVFM9xEIeyrZ5wR5C7S1sGF X-Google-Smtp-Source: AJdET5cAxtoyB6yfcZSDkUCHCGXD1Zp8Trw5WWYO7J9Ad8YojZQudl0BFH+hXca6mFfdPA+4TpSLfVNkgxeZ2OhEBRA= X-Received: by 2002:a19:f813:: with SMTP id a19mr2949477lff.67.1540582276239; Fri, 26 Oct 2018 12:31:16 -0700 (PDT) MIME-Version: 1.0 References: <20181026010630.GD75530@funkthat.com> In-Reply-To: From: Alaksiej Date: Fri, 26 Oct 2018 22:33:02 +0300 Message-ID: Subject: Re: GELI without passphrase on ZFS root Cc: freebsd-geom Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Oct 2018 19:31:19 -0000 Michael, I very rarely use installer, so can be wrong, but I have glanced at how it works with 11.2, and it seems to me it doesn't make unencrypted /boot with Auto ZFS option. So it means you did something manually, right? What exactly? What is inside your loader.conf? What do you see exactly on your screen when OS refuses to proceed with loading? Leave no place for guessing, please. On Fri, Oct 26, 2018 at 12:55 PM Michael .. wrote: > I can boot using passphrase *and* keyfile encrypted userkey. The keyfile > is accessible on /boot/ unencrypted. (realise this is in no way "secure" > but proves keyfile is accessible) i.e: > > geli setkey -K /boot/encryption.key /dev/xyz > (prompted for new passphrase) > > Able to reboot correctly by entering new passphrase. > > The problem is as soon as I update the userkey to be without the > passphrase component, it is still requested during boot and then obviously > there is no correct entry. i.e. > > geli setkey -K /boot/encryption.key -P /dev/xyz > (no passphrase prompt due to -P) > > Passphrase is still requested during boot and cannot proceed. > > I tried "geli configure -B /dev/xyz" as suggested by Alaksiej, there is no > prompt for passphrase but booting breaks at mountroot (I guess because the > "boot" flag has been removed?). > > Is this a bug in that geom_eli does not try to decrypt using just keyfile > before prompting user for passphrase? > > Regards, > > Michael. > > Sent: Friday, October 26, 2018 at 2:06 AM > From: "John-Mark Gurney" > To: "Michael .." > Cc: freebsd-geom@freebsd.org > Subject: Re: GELI without passphrase on ZFS root > Michael .. wrote this message on Thu, Oct 25, 2018 at 12:25 +0200: > > Has anyone been able to achieve this? > > > > I installed FreeBSD 11.2 using AutoZFS option with encryption turned > on. Passphrase is specified as part of install. > > > > I want to switch to only a keyfile and no passphrase: > > > > geli setkey -K /boot/encryption.key -P /dev/xyz > > If this is on your ZFS root that is encrypted w/ the key file, how do > you expect to be able to boot the system when the keyfile you need to > decrypt is encrypted? > > > This completes, but I'm still prompted for passphrase on boot. Nothing > appears accepted by the prompt (as the userkey is using only keyfile now?) > > > > Setting geom_eli_passphrase_prompt="NO" doesn't help. > > Well, the default boot I believe can only handle passphrase. > > You can look at this instructions on booting from a USB drive which can > contain the key file: > https://forums.freebsd.org/threads/zfs-boot-from-usb.45880/ > > I don't think zfsboot (which is needed for ZFS root booting) can handle > key files, because it needs to get the key file from somewhere, and it > is a very small binary, and so does not have the space to load it from > other drives... > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." > _______________________________________________ > freebsd-geom@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@freebsd.org" >