Date: Mon, 14 Feb 2022 15:29:55 -0800 From: John-Mark Gurney <jmg@funkthat.com> To: Georg Bege <georg@bege.email> Cc: freebsd-amd64@FreeBSD.org Subject: Re: geli keyfile arguments / gpt partitions Message-ID: <20220214232955.GF97875@funkthat.com> In-Reply-To: <54f1aaaa-d4ed-1273-df9d-27cae3c1dc5f@bege.email> References: <54f1aaaa-d4ed-1273-df9d-27cae3c1dc5f@bege.email>
next in thread | previous in thread | raw e-mail | index | archive | help
Georg Bege wrote this message on Tue, Feb 01, 2022 at 20:06 +0100:
> Hello mailing list,
>
> Im trying to realize a specific encrypted setup on my FreeBSD machine at
> home.
>
> For now I've a raidz2 pool, which did contain root - however it doesnt
> boot anylonger.
>
> I have a dedicated SATA disk with UEFI boot code and /boot data, so this
> works and I can bootup.
>
> What I wanted to do now is now encrypt the devices of the pool,
>
> which should work in general because I can boot the kernel and thus the
> kernel should be able to decrypt the required disk devices.
>
>
> My issue is now that if I find anything on google etc, all examples want
> me to put the keyfile on /boot and then provide it as an argument like:
> geli_<device>_keyfile0_name="/boot/encrypted.key"
>
> This is something I dont want to do, instead I'd prefer that I put the
> keyfile data on a single gpt partition of an usb stick of my choice -
>
> I can reach this device whenever I boot up... however it seems I can not
> provide a /dev/... device just like this as an argument.
>
> I dont even know if the kernel is able to read raw data from a gpt
> partition... but well why not? It should be possible?
>
>
> Has anyone a clue how to archive this or which arguments I need to provide?
I wrote a custom rc.d script to handle this.
The core is:
cd /<keydir> &&
for i in *.key; do
geli attach -p -k "$i" "label/${i%.key}"
geli attach -p -k "$i" "gpt/${i%.key}"
done
I now relize I could do a if [ -c <dev> ] before each so I don't get
the error message, but I wrote this a LONG time ago, and it wasn't a
big deal to [not] see the error messages on boot...
and before the above, I have code that mounts the device w/ the keys on
it..
the -p is necessary in addition to the -k:
-k keyfile Specifies a file which contains the
keyfile component of the User Key (or
part of it). For more information see
the description of the -K option for
the init subcommand.
-p Do not use a passphrase as a component
of the User Key. Cannot be combined
with the -j option.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220214232955.GF97875>