From owner-freebsd-geom@FreeBSD.ORG Thu Oct 20 00:32:51 2005 Return-Path: X-Original-To: freebsd-geom@freebsd.org Delivered-To: freebsd-geom@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8379816A41F for ; Thu, 20 Oct 2005 00:32:51 +0000 (GMT) (envelope-from frank@barda.agala.net) Received: from mail.agala.net (Ib4b4.i.pppool.de [85.73.180.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B2AA43D5A for ; Thu, 20 Oct 2005 00:32:49 +0000 (GMT) (envelope-from frank@barda.agala.net) Received: from mail.agala.net (barda [192.168.20.1]) by barda.agala.net (Postfix) with ESMTP id 557F3119CC6 for ; Thu, 20 Oct 2005 02:32:50 +0200 (CEST) Received: from abakus.agala.net (abakus.agala.net [192.168.223.2]) by mail.agala.net (Postfix) with ESMTP id 1BFFB119CC4 for ; Thu, 20 Oct 2005 02:32:50 +0200 (CEST) From: "Frank J. Beckmann" Organization: agala naga doron To: freebsd-geom@freebsd.org Date: Thu, 20 Oct 2005 02:31:02 +0200 User-Agent: KMail/1.8.2 References: <200509271357.32327.frank@barda.agala.net> <20050928084331.GA24355@garage.freebsd.pl> In-Reply-To: <20050928084331.GA24355@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2132646.91l7xer0d9"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200510200232.39374.frank@barda.agala.net> X-Scanned-By: emfilter 1.0 @ 192.168.20.1 X-DSPAM-Result: Innocent X-DSPAM-Processed: Thu Oct 20 02:32:52 2005 X-DSPAM-Confidence: 0.9996 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 218,4356e5b4290102506210450 X-DSPAM-Factors: 27, Disposition-Notification-To*Beckmann+frank, 0.00020, To*freebsd+org, 0.00020, From*Frank+Beckmann, 0.00020, Received*freebsd.org, 0.00020, Disposition-Notification-To*barda, 0.00020, Disposition-Notification-To*frank, 0.00020, From*frank+barda, 0.00020, Disposition-Notification-To*Frank, 0.00020, Content-Type*iso, 0.00020 Subject: Re: Paasword from shsec when booting eli encryptet / ? X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Oct 2005 00:32:51 -0000 --nextPart2132646.91l7xer0d9 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Moin, am Mittwoch, 28. September 2005 10:43 schrieb Pawel Jakub Dawidek: > On Tue, Sep 27, 2005 at 01:57:30PM +0200, Frank J. Beckmann wrote: > +> I start to love the new geom classes, they give me many ideas but also > rise +> many questions. The man page og geli states that you can encrypt / > when you +> boot from an USB pen-drive. That mast contain /boot. Does it > find / or do I +> have to set rootdev in loader.conf? > > You need to setup USB boot in BIOS and that's actually all. None of my computers is able to boot from USB, but thats another problem. I= =20 hope to get some newer hardware sooner or later... > It will ask you for the passphrase before root file system is mounted and > will find root partition in /etc/fstab after decryption. That is how I understood the man page. But that is no great solution for an= =20 unattended server. > +> And is it possible to get the password (or any other needed secret) fr= om > a +> gshsec device instead of a console prompt? > > No. I guessed you would say that. Would it be possible to mount a shsec device= =20 readonly like /? The kernel knows how to read an ufs file system else it=20 could not boot. > Currently you can use only passphrase strengthened with PKCS#5v2 for the > root partition. > There are no file systems mounted yet, so you cannot get the secret from > a file. In theory it will be possible to get the secret from a raw device > (storing info about this in /boot/loader.conf). > BUT this is hackish and evil, so I'll wait for a better solution. Where do I have to start looking for an better solution. Could the kernel b= e=20 able to read from something in /dev/ufs? =2D-=20 =46rank --nextPart2132646.91l7xer0d9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iQEVAwUAQ1blpnEvQ8HsmK/3AQJ0uQf+MqCZ8+pDCCCkVuYxGOq13wiUAO9lXmyE SCXq0p026ZoAHO2SpT9fE7oG9ocCBswmAvDqd9rcz6P+L7BMEp2JK/rvmnjIcQTm o0v1IIjw4m5lo03TRv+KNFZZB1VLpyWrEcxwm5NnGRDW+MQTurkfi8SG+Q5kYoVW 2kzE5WU37HOHFPCbGgoPM3Zy19eaDsscOZ3Nr6fVsLAyRJw4fvHCrzGxQ/ctUigD X/TswSQhsSYG/zlNp+PYwjv5dMflgwqe2WIQ6CEeP6xg+1xeAckSd7rDKiBHUZJI QxeUvsDNOxEmGX4kRnkOgOCCczZpz6fI8fodpU53mYdA4i8ZwNfk6g== =2PVq -----END PGP SIGNATURE----- --nextPart2132646.91l7xer0d9--