Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 27 Oct 2018 01:59:06 +0200
From:      "Michael .." <mikey@usa.com>
To:        freebsd-geom@freebsd.org
Subject:   Re: GELI without passphrase on ZFS root
Message-ID:  <trinity-f447292a-af95-4bf7-966d-f337189b6f6f-1540598346135@3c-app-mailcom-lxa01>
next in thread | raw e-mail | index | archive | help 

Alaksiej,

You are correct.

I originally tried to configure this on an installation of pfSense (using UEFI+GPT).  The default AutoZFS installer with encryption for this does appear to create an unencrypted /boot/ with an encryption.key keyfile used along with passphrase.  I tried to set the userkey using just the keyfile to remove the use of passphrase.  I can reset a userkey using both passphrase and keyfile (located in /boot) and the system will boot successfully.  I think this proves /boot is accessible unencrypted for reading the keyfile.

loader.conf is (by default):

geli_ada0p4_keyfile0_load="YES"
geli_ada0p4_keyfile0_type="ada0p4:geli_keyfile0"
geli_ada0p4_keyfile0_name="/boot/encryption.key"
aesni_load="YES"
geom_eli_load="YES"
kern.cam.boot_delay=10000
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"
kern.ipc.nmbjumbo9="524288"
vfs.root.mountfrom="zfs:zroot/ROOT/default"
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
zpool_cache_load="YES"
zpool_cache_type="/boot/zfs/zpool.cache"
zpool_cache_name="/boot/zfs/zpool.cache"
geom_eli_passphrase_prompt="YES"
zfs_load="YES"
autoboot_delay="3"
hw.usb.no_pf="1"

Using geli configure -B /dev/ada0p4 as you suggested results in:

     Mounting from zfs:zroot/ROOT/default failed with error 2

     Loader variables:
          vfs.root.mountfrom=zfs:zroot/ROOT/default

When I couldn't get it working, I switched to a virtual machine running straight FreeBSD 11.2 (albeit BIOS+GPT).  I realised this evening that the default disk partitioning is not the same - and a keyfile is not used by default when selecting encryption under AutoZFS installer option - just a passphrase.  I guess the installer is customised for pfsense.

Regards,

Michael.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?trinity-f447292a-af95-4bf7-966d-f337189b6f6f-1540598346135>