From owner-freebsd-geom@freebsd.org  Mon Aug 19 03:08:30 2019
Return-Path: <owner-freebsd-geom@freebsd.org>
Delivered-To: freebsd-geom@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 941EBD6D7E
 for <freebsd-geom@mailman.nyi.freebsd.org>;
 Mon, 19 Aug 2019 03:08:30 +0000 (UTC)
 (envelope-from coco@executive-computing.de)
Received: from mail.moehre.org (mail.moehre.org [195.96.35.7])
 by mx1.freebsd.org (Postfix) with ESMTP id 46Bf595s0dz4Fbk
 for <freebsd-geom@freebsd.org>; Mon, 19 Aug 2019 03:08:29 +0000 (UTC)
 (envelope-from coco@executive-computing.de)
Received: from mail.moehre.org (unknown [195.96.35.7])
 by mail.moehre.org (Postfix) with ESMTP id DB29D38EFE;
 Mon, 19 Aug 2019 05:08:28 +0200 (CEST)
X-Spam-Flag: NO
X-Spam-Score: -100.935
X-Spam-Level: 
X-Spam-Status: No, score=-100.935 tagged_above=-999 required=5
 tests=[ALL_TRUSTED=-1, AWL=0.065, USER_IN_WHITELIST=-100]
 autolearn=disabled
Received: from mail.moehre.org ([195.96.35.7])
 by mail.moehre.org (mail.moehre.org [195.96.35.7]) (amavisd-new, port 10024)
 with ESMTP id 9KBobyJYQkeD; Mon, 19 Aug 2019 05:08:28 +0200 (CEST)
Received: from localhost (p5B2F1337.dip0.t-ipconnect.de [91.47.19.55])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: coco@executive-computing.de)
 by mail.moehre.org (Postfix) with ESMTPSA id 06FDD38EF2;
 Mon, 19 Aug 2019 05:08:27 +0200 (CEST)
Date: Mon, 19 Aug 2019 05:08:26 +0200
From: Marco Steinbach <coco@executive-computing.de>
To: freebsd-geom@freebsd.org
Cc: Alaksiej <ac@belngo.info>, CyberLeo Kitsana <cyberleo@cyberleo.net>, Ben
 Woods <woodsb02@gmail.com>
Subject: Re: 11.3: GELI attach: Wrong key despite correct passphrase (SOLVED)
Message-ID: <20190819050826.00002d83@executive-computing.de>
In-Reply-To: <20190819035509.00007d37@executive-computing.de>
References: <20190818154602.00003fa8@executive-computing.de>
 <96f3e2f5-ab4c-19c9-2f68-e42bb0e8aab4@cyberleo.net>
 <20190818210531.00006ffa@executive-computing.de>
 <CAOc73CBmEum2V4M7jFLZ5B4iTnAP=fpg5ozmzGPYcyzhr0PBLg@mail.gmail.com>
 <20190819035509.00007d37@executive-computing.de>
X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-w64-mingw32)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 46Bf595s0dz4Fbk
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of coco@executive-computing.de designates
 195.96.35.7 as permitted sender) smtp.mailfrom=coco@executive-computing.de
X-Spamd-Result: default: False [-6.42 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+mx:c]; FROM_HAS_DN(0.00)[];
 MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[executive-computing.de];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 NEURAL_HAM_SHORT(-0.99)[-0.990,0];
 IP_SCORE(-3.23)[ip: (-8.50), ipnet: 195.96.32.0/19(-4.25), asn: 8354(-3.40),
 country: DE(-0.01)]; RCVD_NO_TLS_LAST(0.10)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:8354, ipnet:195.96.32.0/19, country:DE];
 MID_RHS_MATCH_FROM(0.00)[];
 RECEIVED_SPAMHAUS_PBL(0.00)[55.19.47.91.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.10]
X-BeenThere: freebsd-geom@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GEOM-specific discussions and implementations
 <freebsd-geom.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-geom>,
 <mailto:freebsd-geom-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-geom/>
List-Post: <mailto:freebsd-geom@freebsd.org>
List-Help: <mailto:freebsd-geom-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
 <mailto:freebsd-geom-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2019 03:08:30 -0000

On Mon, 19 Aug 2019 03:55:09 +0200
Marco Steinbach <coco@executive-computing.de> wrote:

> On Mon, 19 Aug 2019 06:27:34 +0800
> Ben Woods <woodsb02@gmail.com> wrote:
>=20
> > On Mon, 19 Aug 2019 at 3:05 am, Marco Steinbach
> > <coco@executive-computing.de> wrote:
> >  =20
> > > On Sun, 18 Aug 2019 10:20:51 -0500
> > > CyberLeo Kitsana <cyberleo@cyberleo.net> wrote:
> > >   =20
> > > > On 8/18/19 8:46 AM, Marco Steinbach wrote:   =20
> > > > > Hi.
> > > > >
> > > > > I have two bootable SSDs, both installed using a GELI
> > > > > encrypted root on ZFS.   =20
> > > >
> > > > <snip>
> > > >   =20
> > > > > I've then imported the bootpool from da0, and mounted it, so I
> > > > > can try using the key in boot/
> > > > >
> > > > > root@bsdbuch:~ # geli attach
> > > > > -k /bootpool/boot/ada0p5.eli /dev/da0p5 Enter passphrase:
> > > > > geli: Wrong key for da0p5.   =20
> > > >
> > > > Did you intend on combining both a keyfile AND a passphrase
> > > > here? If not, include the -p option to instruct geli to avoid
> > > > asking for a passphrase to mix in.
> > > >
> > > > It might also help to include the output of 'geli dump' for both
> > > > of the affected providers. You can obscure the 'Salt' and
> > > > 'Master Key' portions if you so desire.
> > > >   =20
> > >
> > > I think there's a misunderstanding.
> > >
> > > I merely want to attach the GELI created by the 11.1 installer to
> > > a newly installed 11.3 system.
> > >
> > > MfG CoCo   =20
> >=20
> >=20
> > Indeed, but what secrets do you need to provide to decrypt the geli
> > providers (passphrase, passfile, keyfile)? The command above will
> > use both a keyfile and prompt for a passphrase - was this your
> > intention?
> >=20
> > The =E2=80=9Cattach=E2=80=9D section of this manpage has more details i=
f required:
> >=20
> > https://man.freebsd.org/geli
> >  =20
>=20
> What secrets do I need to provide, if I installed a root on ZFS on top
> of GELI using the FreeBSD installer (no manual intervention, really
> just what the installer offered) on the 11.1-RELEASE memstick,
> if I want to attach that provider to an 11.3-RELEASE system ?
>=20
> As I wrote, I have two SSDs both installed using the FreeBSD installer
> using root on ZFS on top of GELI. One was installed using the
> 11.1-RELEASE memstick, the other was installed using the 11.3-RELEASE
> memstick.
>=20
> I can attach the 11.3-RELEASE from the 11.1-RELEASE (just doing 'geli
> attach /dev/da0p5), but not vice versa. Both use the same passphrase,
> and both boot using this same passphrase.
>=20
> Since GELI on the 11.3-RELEASE system told me 'geli: wrong key for
> da0p5' when trying to attach the 11.1-RELEASE GELI provider, I tried
> using the keyfile generated by the 11.1-RELEASE installer in
> conjunction with the passphrase. That also failed.

Hi.

I now have successfully tested cross-attaching the 11.1/11.3 GELI
providers using their respective keyfiles and the passphrase.

It's still beyond me, why I was able to simply attach the GELI provider
on the external USB drive created in 11.3 just using the passphrase,
when 11.1 was booted, but not vice versa (with 11.3 booted internally,
and 11.1 in the external enclosure).

In all my tries, I allways plugged in the external drive after the
system was fully up.


Thank you all for your suggestions and hints -- that was quite an
informative lesson.

MfG CoCo