Date: Wed, 03 Sep 2014 21:44:49 -0500 From: Karl Denninger <karl@denninger.net> To: freebsd-geom@freebsd.org Subject: Re: Attempt to add multiple device attachment to "geli attach" Message-ID: <5407D221.5000609@denninger.net> In-Reply-To: <20140903200014.GB82175@funkthat.com> References: <54076871.5010405@denninger.net> <54076CFE.5010308@denninger.net> <20140903200014.GB82175@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format.
--------------ms080302030507010700050906
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
On 9/3/2014 15:00, John-Mark Gurney wrote:
> Karl Denninger wrote this message on Wed, Sep 03, 2014 at 14:33 -0500:
>> Never mind... I know what I missed -- the key generation that is passe=
d
>> in is dependent on the metadata read from the userspace.
>>
>> More work to do here.... will have to pass a separate key structure fo=
r
>> each disk and it will also require some more work in the userspace
>> command area so it doesn't prompt a second time for a password.
>>
>> I'll post the completed patch set once I have it if people here think =
it
>> would be interesting.
> Just some comments on this as I've thought about this issue...
>
> There are two issues here, one is for root and one is for geli
> volume mounted later...
>
> For the later, I personally use a key volume that is encrypted, and use=
s
> that "key store" for my large 8 disk raidz pool.. This is less of an
> issue, but still requires me to type in the password twice... It
> basicly boils down to:
> (cd /zkeys && for i in *.key; do geli attach -p -k "$i" "label/${i%.key=
}"; geli attach -p -k "$i" "gpt/${i%.key}"; done) || exit 5
>
> I have to do both label and gpt since disks are labeled, but things lik=
e
> zlog are on gpt partitions...
>
> I haven't reviewed your patch, nor have I looked at how geli keys
> volumes upon init, but make sure that you have each volume's master
> key salted seperately... This way if the volumes get seperated from
> your system, it won't leak that they use the same key... Yes, it'll
> take a bit more cpu time to unlock, but not that big of an issue IMO...=
>
> Handling unlocking mirrored roots is a bit more interesting as you
> now have to touch the geli kernel code...
>
> btw, reattaching a single disk that was previously part of a pool is
> fast... I've done this on more than one occasion where one disk drops
> out of the raidz and then shortly after I reattach it... It will
> recognize the original data, so only if new data that got written
> can't be read will you suffer a loss, but that would be a double failur=
e
> case, and known limitation of raidz...
>
> Thanks for looking at this... I'm definately interested in making
> multi disk geli more usable...
>
> $find /dev -name "*.eli" | wc -l
> 17
>
> :)
>
> 8 (raidz data disks) + 2 (mirrored root) + 1 (swap) + 2 (cache) +
> 2 (log) + 2 (duplicates from root ada vs ad)
>
Try this in /usr/local/etc/rc.d -- it is a modification of the geli=20
script and gets the password, then iterates over the disks and tries to=20
attach them. If it fails it will prompt you again (up to three times as =
does the stock code, but you can override that if you want.) This is to =
be used in place of the geli option in /etc/rc.conf.
Place the disks in /etc/rc.conf as:
encrypt_disks=3D"..... "
The usual geli overrides also work (since I cribbed the code), EXCEPT=20
the detach-on-close -- I have had serious problems with that when a=20
non-related drive detaches from the bus -- it has on multiple occasions=20
caused all my geli disks to detach on the same adapter! Needless to say=20
I don't set that flag any more -- I let the kernel detach them when the=20
machine shuts down.
As long as the password you originally supply is good it will keep=20
iterating through the list and mount them all. Voila -- enter it once!
#!/bin/sh
#
# Copyright 2014 Karl Denninger <karl@denninger.net>
# Cribbed modified from original as below
#
# Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.=
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND=
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURP=
OSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABL=
E
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENT=
IAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS=
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STR=
ICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY W=
AY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# PROVIDE: disks
# REQUIRE: initrandom
# KEYWORD: nojail
=2E /etc/rc.subr
name=3D"encrypt"
start_cmd=3D"encrypt_start"
stop_cmd=3D"encrypt_stop"
required_modules=3D"geom_eli:g_eli"
encrypt_start()
{
devices=3D${encrypt_disks}
echo -n 'Geli attach Password: '
stty -echo
read password
stty echo
echo
if [ -z "${encrypt_tries}" ]; then
if [ -n "${encrypt_attach_attempts}" ]; then
# Compatibility with rc.d/gbde.
encrypt_tries=3D${encrypt_attach_attempts}
else
encrypt_tries=3D`${SYSCTL_N} kern.geom.eli.tries=
`
fi
fi
for provider in ${devices}; do
provider_=3D`ltr ${provider} '/-' '_'`
eval "flags=3D\${encrypt_${provider_}_flags}"
if [ -z "${flags}" ]; then
flags=3D${encrypt_default_flags}
fi
if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; the=
n
echo "Geli attach ${provider}."
count=3D1
while [ ${count} -le ${encrypt_tries} ]; do
echo $password | geli attach -j - ${flags} ${provider}
if [ -e "/dev/${provider}.eli" ]; then
break
fi
echo "Attach failed; attempt ${count} of ${encrypt_tries=
}."
count=3D$((count+1))
if [ ${count} -gt ${encrypt_tries} ]; then
echo "KEY MISMATCH ERROR - Abort"
exit 1
fi
echo -n 'Geli attach Password: '
stty -echo
read password
stty echo
echo
done
else
if [ -e "/dev/${provider}" ]; then
echo "${provider} is already attached."
else
echo "${provider} does not exist."
fi
fi
done
}
encrypt_stop()
{
devices=3D${encrypt_disks}
for provider in ${devices}; do
if [ -e "/dev/${provider}.eli" ]; then
umount "/dev/${provider}.eli" 2>/dev/null
geli detach "${provider}"
fi
done
}
load_rc_config $name
run_rc_command "$1"
--=20
-- Karl
karl@denninger.net
--------------ms080302030507010700050906
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFTzCC
BUswggQzoAMCAQICAQgwDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYDVQQI
EwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM
TEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExLzAtBgkqhkiG9w0BCQEWIGN1c3Rv
bWVyLXNlcnZpY2VAY3VkYXN5c3RlbXMubmV0MB4XDTEzMDgyNDE5MDM0NFoXDTE4MDgyMzE5
MDM0NFowWzELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExFzAVBgNVBAMTDkthcmwg
RGVubmluZ2VyMSEwHwYJKoZIhvcNAQkBFhJrYXJsQGRlbm5pbmdlci5uZXQwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQC5n2KBrBmG22nVntVdvgKCB9UcnapNThrW1L+dq6th
d9l4mj+qYMUpJ+8I0rTbY1dn21IXQBoBQmy8t1doKwmTdQ59F0FwZEPt/fGbRgBKVt3Quf6W
6n7kRk9MG6gdD7V9vPpFV41e+5MWYtqGWY3ScDP8SyYLjL/Xgr+5KFKkDfuubK8DeNqdLniV
jHo/vqmIgO+6NgzPGPgmbutzFQXlxUqjiNAAKzF2+Tkddi+WKABrcc/EqnBb0X8GdqcIamO5
SyVmuM+7Zdns7D9pcV16zMMQ8LfNFQCDvbCuuQKMDg2F22x5ekYXpwjqTyfjcHBkWC8vFNoY
5aFMdyiN/Kkz0/kduP2ekYOgkRqcShfLEcG9SQ4LQZgqjMpTjSOGzBr3tOvVn5LkSJSHW2Z8
Q0dxSkvFG2/lsOWFbwQeeZSaBi5vRZCYCOf5tRd1+E93FyQfpt4vsrXshIAk7IK7f0qXvxP4
GDli5PKIEubD2Bn+gp3vB/DkfKySh5NBHVB+OPCoXRUWBkQxme65wBO02OZZt0k8Iq0i4Rci
WV6z+lQHqDKtaVGgMsHn6PoeYhjf5Al5SP+U3imTjF2aCca1iDB5JOccX04MNljvifXgcbJN
nkMgrzmm1ZgJ1PLur/ADWPlnz45quOhHg1TfUCLfI/DzgG7Z6u+oy4siQuFr9QT0MQIDAQAB
o4HWMIHTMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIF4DAsBglg
hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHw4
+LnuALyLA5Cgy7T5ZAX1WzKPMB8GA1UdIwQYMBaAFF3U3hpBZq40HB5VM7B44/gmXiI0MDgG
CWCGSAGG+EIBAwQrFilodHRwczovL2N1ZGFzeXN0ZW1zLm5ldDoxMTQ0My9yZXZva2VkLmNy
bDANBgkqhkiG9w0BAQUFAAOCAQEAZ0L4tQbBd0hd4wuw/YVqEBDDXJ54q2AoqQAmsOlnoxLO
31ehM/LvrTIP4yK2u1VmXtUumQ4Ao15JFM+xmwqtEGsh70RRrfVBAGd7KOZ3GB39FP2TgN/c
L5fJKVxOqvEnW6cL9QtvUlcM3hXg8kDv60OB+LIcSE/P3/s+0tEpWPjxm3LHVE7JmPbZIcJ1
YMoZvHh0NSjY5D0HZlwtbDO7pDz9sZf1QEOgjH828fhtborkaHaUI46pmrMjiBnY6ujXMcWD
pxtikki0zY22nrxfTs5xDWGxyrc/cmucjxClJF6+OYVUSaZhiiHfa9Pr+41okLgsRB0AmNwE
f6ItY3TI8DGCBQowggUGAgEBMIGjMIGdMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlk
YTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRwwGgYD
VQQDExNDdWRhIFN5c3RlbXMgTExDIENBMS8wLQYJKoZIhvcNAQkBFiBjdXN0b21lci1zZXJ2
aWNlQGN1ZGFzeXN0ZW1zLm5ldAIBCDAJBgUrDgMCGgUAoIICOzAYBgkqhkiG9w0BCQMxCwYJ
KoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDA5MDQwMjQ0NDlaMCMGCSqGSIb3DQEJBDEW
BBSvKticq39C5sphylyhv8EKbrUl1jBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL
BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG0BgkrBgEEAYI3EAQxgaYwgaMwgZ0xCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoT
EEN1ZGEgU3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExLzAtBgkq
hkiG9w0BCQEWIGN1c3RvbWVyLXNlcnZpY2VAY3VkYXN5c3RlbXMubmV0AgEIMIG2BgsqhkiG
9w0BCRACCzGBpqCBozCBnTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExEjAQBgNV
BAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExMQzEcMBoGA1UEAxMTQ3Vk
YSBTeXN0ZW1zIExMQyBDQTEvMC0GCSqGSIb3DQEJARYgY3VzdG9tZXItc2VydmljZUBjdWRh
c3lzdGVtcy5uZXQCAQgwDQYJKoZIhvcNAQEBBQAEggIArm1/g/DAM+dUD9EgdCnKQHXvDg/F
dWFcXD4P0ei+SZJaeE9iqarT7NdWzBiFtqeA+cFqzCT2R2QkUwhNjE1ejvinK4LQO+32LDl8
klHnxtfKgo13jkFVxLyn1vQ8S+EzL5yPKf/eoT50VsfOrWGrL7LzEEdk7Tlsbj8MxhqqM7S3
+8Kj+0Tjjcs8iXnECJU1W5e3aKsnqv9aNDL2UXDNHDzkc7Zd2QvQwvWAxJlDFwYFijrpSzZ7
5vZ2tCgaLAo1+DDPPXKZ0PHj2/jvjLlP8PXDEuXLwQwR0nNhhAkT6uN6hx/hL1e8dGuc4eO6
RiZP+Nc3k83H12jJ38Z4TtxKr4dfLp/x85TQ/T85cHplrkz+5fyCyGnXJBn0ZniHeoOYbfWE
GR9lmlmTzcTJ+9ZwMaLBJqGa5RI1ZU8lAoRCKB6DGVXxtaabadFX9OT8kI/WwFxHcuK25tGh
mq+xj1CkoYbSWhrl+z9TFNmMlpmRTzZb2e+75nQsgNdC3McmR2+LPtoKoXd4InKoqahOU2KI
GME7EHTWVfnJdNJSjUusC2DaCV0nD1r8YS23mYgksg1k8VgRJVj6Hj2IYI5VHB4IGxLk0Qd9
gpNnSYZlZzGwDKj4P3lEEul/uDNEtihu0NVgajJpFnk6g0DHMYHb0DAQMg1dIIABvUqDx12n
i+p4BWkAAAAAAAA=
--------------ms080302030507010700050906--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5407D221.5000609>