Date: Thu, 20 Oct 2005 02:31:02 +0200 From: "Frank J. Beckmann" <frank@barda.agala.net> To: freebsd-geom@freebsd.org Subject: Re: Paasword from shsec when booting eli encryptet / ? Message-ID: <200510200232.39374.frank@barda.agala.net> In-Reply-To: <20050928084331.GA24355@garage.freebsd.pl> References: <200509271357.32327.frank@barda.agala.net> <20050928084331.GA24355@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2132646.91l7xer0d9 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Moin, am Mittwoch, 28. September 2005 10:43 schrieb Pawel Jakub Dawidek: > On Tue, Sep 27, 2005 at 01:57:30PM +0200, Frank J. Beckmann wrote: > +> I start to love the new geom classes, they give me many ideas but also > rise +> many questions. The man page og geli states that you can encrypt / > when you +> boot from an USB pen-drive. That mast contain /boot. Does it > find / or do I +> have to set rootdev in loader.conf? > > You need to setup USB boot in BIOS and that's actually all. None of my computers is able to boot from USB, but thats another problem. I= =20 hope to get some newer hardware sooner or later... > It will ask you for the passphrase before root file system is mounted and > will find root partition in /etc/fstab after decryption. That is how I understood the man page. But that is no great solution for an= =20 unattended server. > +> And is it possible to get the password (or any other needed secret) fr= om > a +> gshsec device instead of a console prompt? > > No. I guessed you would say that. Would it be possible to mount a shsec device= =20 readonly like /? The kernel knows how to read an ufs file system else it=20 could not boot. > Currently you can use only passphrase strengthened with PKCS#5v2 for the > root partition. > There are no file systems mounted yet, so you cannot get the secret from > a file. In theory it will be possible to get the secret from a raw device > (storing info about this in /boot/loader.conf). > BUT this is hackish and evil, so I'll wait for a better solution. Where do I have to start looking for an better solution. Could the kernel b= e=20 able to read from something in /dev/ufs? =2D-=20 =46rank --nextPart2132646.91l7xer0d9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iQEVAwUAQ1blpnEvQ8HsmK/3AQJ0uQf+MqCZ8+pDCCCkVuYxGOq13wiUAO9lXmyE SCXq0p026ZoAHO2SpT9fE7oG9ocCBswmAvDqd9rcz6P+L7BMEp2JK/rvmnjIcQTm o0v1IIjw4m5lo03TRv+KNFZZB1VLpyWrEcxwm5NnGRDW+MQTurkfi8SG+Q5kYoVW 2kzE5WU37HOHFPCbGgoPM3Zy19eaDsscOZ3Nr6fVsLAyRJw4fvHCrzGxQ/ctUigD X/TswSQhsSYG/zlNp+PYwjv5dMflgwqe2WIQ6CEeP6xg+1xeAckSd7rDKiBHUZJI QxeUvsDNOxEmGX4kRnkOgOCCczZpz6fI8fodpU53mYdA4i8ZwNfk6g== =2PVq -----END PGP SIGNATURE----- --nextPart2132646.91l7xer0d9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510200232.39374.frank>