Date: Mon, 13 Mar 2023 08:46:06 +0100 From: Evilham <contact@evilham.com> To: Jean-Christophe <jean-christophe@blues-softwares.net> Cc: freebsd-questions@freebsd.org, questions@freebsd.org Subject: Re: geli encryption on server Message-ID: <01fca36fa1905197a0b5436be9f9ee112ff8@yggdrasil.evilham.com> In-Reply-To: <8ef427543f851a296b4a1804764f3f5ece48225d.camel@blues-softwares.net> References: <8ef427543f851a296b4a1804764f3f5ece48225d.camel@blues-softwares.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On dg., març 12 2023, Jean-Christophe wrote:
> hi,
> how can I add passphrase at boot process for don´t ask it after
> all reboot ?
> regard,
> jean-christophe
As others pointed out, beware that depending on what you are
doing, it might render your encryption pretty much useless.
I use it to unlock other geli-encrypted drives providing just one
password, it's a decent compromise for me.
Answering your question with those caveats: you can do this with
the options:
geli_devices and geli_${PROVIDER}_flags
This is documented in rc.conf(5) and /etc/rc.d/geli, AFAICT
geli_${PROVIDER}_flags is not documented on rc.conf(5), if this
saved you time please look into adding a patch fixing that.
It can look something like in /etc/rc.conf:
geli_devices="gpt/home"
geil_gpt_home_flags="-pk '/secret/location/keyfile.secret'"
Note that the '/' gets replaced with a '_' when you need to
provide the flags.
Cheers,
--
Evilham
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01fca36fa1905197a0b5436be9f9ee112ff8>