From owner-freebsd-geom@freebsd.org Mon Oct 29 16:21:48 2018 Return-Path: Delivered-To: freebsd-geom@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 316ED10DEED2 for ; Mon, 29 Oct 2018 16:21:48 +0000 (UTC) (envelope-from a@carniajeu.com) Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 923247752A for ; Mon, 29 Oct 2018 16:21:47 +0000 (UTC) (envelope-from a@carniajeu.com) Received: by mail-lj1-x236.google.com with SMTP id f3-v6so8404197ljk.9 for ; Mon, 29 Oct 2018 09:21:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=belngo-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=v2qbmEbiM9uUUrGOejY/EtqD04QXY/GbTH0/dqEckvw=; b=HFLO2tPVmdrq9FZOh3yVKUbwqDlsYczKdeKk3DoukS8+ConJqJQvj239Ftjm31kdkC ycR6AA35I+zOnaxOmSb+OAt6vg1IgBFpAnJiRrnb2uX4jy4zzpae/1IXwceu880yGIiO nw+p2jVYJSRekQWl9OH1K4Oe96U1Iqb/cGIYcUHnLSPtFJVvhAPHYMa68qhDtwLaX0Y8 HxNjWfxPalqTdolWbPcTn0Co2+K5Ps9KL3tsGoNy+hFFL2H1y11TjC7rvpNDlWLXs1Z2 W8/ROb/iusgk8QgfF1KuKbAE9tqkuS+qH7mUlmnPeXSLHT/p/+B47oGaJuqWZ5gVkPfx uUAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=v2qbmEbiM9uUUrGOejY/EtqD04QXY/GbTH0/dqEckvw=; b=XV60UMJZgkcIVYInU7dz/Lpk96jzMnam0ClQ9dptq1bPnTCr/E1wYt7hRFAtPKvVtN gOWLof2jqx/hi4IXreweSo1MB48kWeXkLKUg8r/Is2NJx7Ztn60Mhk8xNhbxHjUwch5W mjwBzYM/S8ht1oX1YMAM+i1OeONZV1gFZH9hqdzaFOTZWdg//ZIkcOjJ+2quD2n2ONpH vAWf3tnopeaYze6ok2RHcZVeNlyJ1qgsmqSZLg6Ao4vXUMGlZgGU7eeTFnrnSzgvKfv9 qgjxMyXJyhCJHPPRLYzY7olu0kBuMttuF/7O7lonvKoxmtPbh100PxMuABSBjfRve0V0 RHLg== X-Gm-Message-State: AGRZ1gLsdai4MF+Xpp4kJf8msXwmln29Ee3gAn79v9M7snvzKISpYwSC IJHTotplK1SVU0vDKyFQdD4IRYmzVdW3I6Eo5Zt1XZN6 X-Google-Smtp-Source: AJdET5dIJvWXnGEnHdQaYDbaCFY/akRj7RM29QmjOK0SPqayYT6JYv3VNE4Xm1tOengfhzVFnEEMYBbYKKFb84aQ9K8= X-Received: by 2002:a2e:800b:: with SMTP id j11-v6mr3582889ljg.114.1540830105627; Mon, 29 Oct 2018 09:21:45 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alaksiej Date: Mon, 29 Oct 2018 19:23:33 +0300 Message-ID: Subject: Re: GELI without passphrase on ZFS root To: mikey@usa.com Cc: freebsd-geom Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Oct 2018 16:21:48 -0000 Hi! I recreated a similar setup in VirtualBox, and I can confirm: GELI won't try to attach a provider if there's no BOOT flag, and will ask for a passphrase if there is. You can report it as a bug, I suppose. Meanwhile, however, there's an easy workaround. You can set up a passphrase, then add the following lines to your loader.conf: kern.geom.eli.passphrase="< passphrase goes here >" kern.geom.eli.boot_passcache=1 And geom_eli.ko will not ask you for a passphrase, taking it from kern.geom.eli.passphrase instead. Here *boot_passcache is invented to make it possible to reuse single passphrase for several providers, and *passphrase is where it is cached (it is cleared afterwards). So this way we can make GELI to act as if passphrase is already typed. Alternatively, you can try to play with root in RAM, or rerooting (reboot -r): starting a script from unencrypted space which will attach a provider by executing "geli -p -k ...", and changing root to a pool inside of it. But my first suggestion is clearly the easiest way. You, I believe, know this perfectly, but just in case: exposing your passwords/keys in an unencrypted part near an encrypted part which those secrets can open is not a particularly safe configuration. It can make sense if your /boot is on a removable drive, but even in this case, a passphrase, even bad one, makes it way safer if it falls to wrong hands. Best, Alaksiej Carniajeu On Sat, Oct 27, 2018 at 2:59 AM Michael .. wrote: > Alaksiej, > > You are correct. > > I originally tried to configure this on an installation of pfSense (using > UEFI+GPT). The default AutoZFS installer with encryption for this does > appear to create an unencrypted /boot/ with an encryption.key keyfile used > along with passphrase. I tried to set the userkey using just the keyfile > to remove the use of passphrase. I can reset a userkey using both > passphrase and keyfile (located in /boot) and the system will boot > successfully. I think this proves /boot is accessible unencrypted for > reading the keyfile. > > loader.conf is (by default): > > geli_ada0p4_keyfile0_load="YES" > geli_ada0p4_keyfile0_type="ada0p4:geli_keyfile0" > geli_ada0p4_keyfile0_name="/boot/encryption.key" > aesni_load="YES" > geom_eli_load="YES" > kern.cam.boot_delay=10000 > kern.ipc.nmbclusters="1000000" > kern.ipc.nmbjumbop="524288" > kern.ipc.nmbjumbo9="524288" > vfs.root.mountfrom="zfs:zroot/ROOT/default" > kern.geom.label.disk_ident.enable="0" > kern.geom.label.gptid.enable="0" > zpool_cache_load="YES" > zpool_cache_type="/boot/zfs/zpool.cache" > zpool_cache_name="/boot/zfs/zpool.cache" > geom_eli_passphrase_prompt="YES" > zfs_load="YES" > autoboot_delay="3" > hw.usb.no_pf="1" > > Using geli configure -B /dev/ada0p4 as you suggested results in: > > Mounting from zfs:zroot/ROOT/default failed with error 2 > > Loader variables: > vfs.root.mountfrom=zfs:zroot/ROOT/default > > When I couldn't get it working, I switched to a virtual machine running > straight FreeBSD 11.2 (albeit BIOS+GPT). I realised this evening that the > default disk partitioning is not the same - and a keyfile is not used by > default when selecting encryption under AutoZFS installer option - just a > passphrase. I guess the installer is customised for pfsense. > > Regards, > > Michael. > > _______________________________________________ > freebsd-geom@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@freebsd.org" >