From owner-freebsd-questions@FreeBSD.ORG Tue Jan 13 07:45:08 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8F8875B2 for ; Tue, 13 Jan 2015 07:45:08 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 12EE55E5 for ; Tue, 13 Jan 2015 07:45:07 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1YAw9v-0006mh-Q5 for freebsd-questions@freebsd.org; Tue, 13 Jan 2015 08:45:03 +0100 Received: from ip184-189-250-254.sb.sd.cox.net ([184.189.250.254]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 13 Jan 2015 08:45:03 +0100 Received: from madoka by ip184-189-250-254.sb.sd.cox.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 13 Jan 2015 08:45:03 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Julian Hsiao Subject: FreeBSD 10.1 encrypted root-on-ZFS without passphrase Date: Mon, 12 Jan 2015 23:43:01 -0800 Lines: 33 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: ip184-189-250-254.sb.sd.cox.net User-Agent: Unison/2.1.10 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2015 07:45:08 -0000 Hi, I'm trying to install FreeBSD 10.1 with all partitions (except /boot, of course) encrypted, but without a passphrase. I chose "Auto (ZFS)" and then "Encrypt Disks? YES" in the installer, entered a dummy passphrase, and proceeded with the rest of the install. Afterwards, I dropped into the manual configuration shell: # zpool status zroot | grep eli | cut -w -f 2 ada0p4.eli # geli setkey -k /boot/encryption.key -K /boot/encryption.key -P ada0p4 Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file. # geli configure -B ada0p4 # exit However, upon reboot I get this error during startup: Trying to mount root from zfs:zroot/ROOT/default []... Mounting from zfs:zroot/ROOT/default failed with error 2. If I omit "geli configure -B" during manual configuration, then I'd be prompted for a passphrase during boot, but no passphrase would work. I'm pretty sure the passphrase was removed, however, since I also tried to unlock the partition with a working system with just "geli attach -p -k" and that worked. I also tried adding to loader.conf: geli_ada0p4_flags=" -p" And that didn't help. What else am I overlooking?