Date: Tue, 1 Feb 2022 21:04:48 +0100 From: Gary Jennejohn <gljennjohn@gmail.com> To: Georg Bege <georg@bege.email> Cc: freebsd-amd64@FreeBSD.org Subject: Re: geli keyfile arguments / gpt partitions Message-ID: <20220201210448.72565274@ernst.home> In-Reply-To: <54f1aaaa-d4ed-1273-df9d-27cae3c1dc5f@bege.email> References: <54f1aaaa-d4ed-1273-df9d-27cae3c1dc5f@bege.email>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Feb 2022 20:06:06 +0100 Georg Bege <georg@bege.email> wrote: > Hello mailing list, > > Im trying to realize a specific encrypted setup on my FreeBSD machine at home. > > For now I've a raidz2 pool, which did contain root - however it doesnt boot anylonger. > > I have a dedicated SATA disk with UEFI boot code and /boot data, so this works and I can bootup. > > What I wanted to do now is now encrypt the devices of the pool, > > which should work in general because I can boot the kernel and thus the kernel should be able to decrypt the required disk devices. > > > My issue is now that if I find anything on google etc, all examples want me to put the keyfile on /boot and then provide it as an argument like: > geli_<device>_keyfile0_name="/boot/encrypted.key" > > This is something I dont want to do, instead I'd prefer that I put the keyfile data on a single gpt partition of an usb stick of my choice - > > I can reach this device whenever I boot up... however it seems I can not provide a /dev/... device just like this as an argument. > > I dont even know if the kernel is able to read raw data from a gpt partition... but well why not? It should be possible? > > > Has anyone a clue how to archive this or which arguments I need to provide? > I have a geli-encrypted SSD in a USB3 enclosure and the key and passphrase are both on a USB stick. I use bash, so I wrote a bash-function which mounts the stick and then cats the passphrase from the stick, which I then copy and paste using the mouse. In my case the SSD s always /dev/daX and the stick is always /dev/daY, which simplifies the function. The stick is mounted as /key. So, basically the function does this: 1) check whether the user is root and bail out if that is not the case 2) mount /dev/daY /key 3) cat the passphrase from /key and copy/paste with the mouse 4) geli attach -k /key/your.key /dev/daX (geli prompts for the passphrase here) 5) mount /dev/daX.eli /your_mount_point 6) umount /key 7) clear Once the SSD is mounted the screen is cleared and I can remove the stick. Shouldn't be difficult to do this for a fixed disk. -- Gary Jennejohn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220201210448.72565274>