From owner-freebsd-questions@FreeBSD.ORG Wed Mar 4 15:55:56 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D94FF587 for ; Wed, 4 Mar 2015 15:55:55 +0000 (UTC) Received: from mail.cyberleo.net (paka.cyberleo.net [216.226.128.180]) by mx1.freebsd.org (Postfix) with ESMTP id 9A4E57F9 for ; Wed, 4 Mar 2015 15:55:55 +0000 (UTC) Received: from [172.16.44.4] (vitani.den.cyberleo.net [216.80.73.130]) by mail.cyberleo.net (Postfix) with ESMTPSA id 31E341BD4A; Wed, 4 Mar 2015 10:55:54 -0500 (EST) Message-ID: <54F72B08.3020404@cyberleo.net> Date: Wed, 04 Mar 2015 09:55:52 -0600 From: CyberLeo Kitsana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: Mason Loring Bliss , freebsd-questions@freebsd.org Subject: Re: GELI key question... References: <20150304015753.GV3375@blisses.org> In-Reply-To: <20150304015753.GV3375@blisses.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 15:55:56 -0000 On 03/03/2015 07:57 PM, Mason Loring Bliss wrote: > Hi all. > > Right now I've got root-on-ZFS-on-GELI from the 10.x installer, but I don't > understand all the moving parts, and I'd love some pointers. In particular, > the man pages geli(8) and loader.conf(5) don't tell me what I want. > > I've got an ultimate goal and a short term goal. The short term goal is to > have a key on a USB stick (maybe in a UFS2 partition, maybe just data on the > disk itself - doesn't matter) and have loader.conf reference that as the key > to unlock my root disk(s), for unattended boot as long as the USB stick is > inserted in the system. > > First thing that's unclear: Where is the GELI syntax for loader.conf > documented? The GELI man page gives examples of use, but it doesn't say how > the configs are composed. > > For example, it shows this: > > geli_da0_keyfile0_load="YES" > geli_da0_keyfile0_type="da0:geli_keyfile0" > geli_da0_keyfile0_name="/boot/keys/da0.key0" > > Is the name of the variable fixed there? What's interpreting it? Would this > be valid? > > geli_foo_keyfile0_load="YES" > geli_foo_keyfile0_type="da0:geli_keyfile0" > geli_foo_keyfile0_name="/boot/keys/da0.key0" The names of the variables themselves mean nothing, excepting that they must all match and follow this pattern. The way the loader processes these is as such: foo_load="YES" <- We want to load a module we call 'foo'. foo_type="da0:geli_keyfile0" <- Set the 'foo' module type. foo_name="/boot/keys/da0.key0" <- Set the path to the 'foo' module data. The 'type' is merely a tag so that the code in the kernel can find it later, after control is passed thereto. For geli keyfiles, the type consists of the device name, a colon, the phrase 'geli_keyfile', and the position of the keyfile (since you can load multiple, and they are all concatenated in order). > More relevant, can the _name variable specify another device? If so, can I > use gpt labels for this, so that I can point to gpt/keypart? Or are those > only available once the system has booted? I'd like to not have to depend on > the USB key having the same device on each boot, and gpt labels seem ideal > for this. I doubt this, as the loader is really only guaranteed to know about the boot filesystem. If you were to try, you would have to figure out how to refer to the devices by their loader names (disk0, disk1), and not by their kernel names (da0, ada0). It is not outside the realm of possibility to teach loader(8) to understand labels, but nobody has done so. > Next, I don't see loader.conf specifying which slot to use. I could be > confusing the concepts... My understanding is that there is one key and a > couple slots for user keys. Is my idea of having the bootloader default to > the USB stick unless it's not there and use a file-and-passphrase already on > /boot otherwise feasible? I'm not sure how to specify an order to try, never > mind the location on another device of one of the keys. The geli attach code will try all slots until it finds one that works; if none match, it will request a passphrase to combine with the keyfiles. > > end_of_line? if 0 else letter? digit? underscore? dot? or or or then > Mmm, reverse-polish notation. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://www.fur.com/peace/