Site Navigation

Date:      Wed, 03 Sep 2014 21:44:49 -0500
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-geom@freebsd.org
Subject:   Re: Attempt to add multiple device attachment to "geli attach"
Message-ID:  <5407D221.5000609@denninger.net>
In-Reply-To: <20140903200014.GB82175@funkthat.com>
References:  <54076871.5010405@denninger.net> <54076CFE.5010308@denninger.net> <20140903200014.GB82175@funkthat.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]

On 9/3/2014 15:00, John-Mark Gurney wrote:
> Karl Denninger wrote this message on Wed, Sep 03, 2014 at 14:33 -0500:
>> Never mind... I know what I missed -- the key generation that is passed
>> in is dependent on the metadata read from the userspace.
>>
>> More work to do here.... will have to pass a separate key structure for
>> each disk and it will also require some more work in the userspace
>> command area so it doesn't prompt a second time for a password.
>>
>> I'll post the completed patch set once I have it if people here think it
>> would be interesting.
> Just some comments on this as I've thought about this issue...
>
> There are two issues here, one is for root and one is for geli
> volume mounted later...
>
> For the later, I personally use a key volume that is encrypted, and uses
> that "key store" for my large 8 disk raidz pool..  This is less of an
> issue, but still requires me to type in the password twice...  It
> basicly boils down to:
> (cd /zkeys && for i in *.key; do geli attach -p -k "$i" "label/${i%.key}"; geli attach -p -k "$i" "gpt/${i%.key}"; done) || exit 5
>
> I have to do both label and gpt since disks are labeled, but things like
> zlog are on gpt partitions...
>
> I haven't reviewed your patch, nor have I looked at how geli keys
> volumes upon init, but make sure that you have each volume's master
> key salted seperately... This way if the volumes get seperated from
> your system, it won't leak that they use the same key... Yes, it'll
> take a bit more cpu time to unlock, but not that big of an issue IMO...
>
> Handling unlocking mirrored roots is a bit more interesting as you
> now have to touch the geli kernel code...
>
> btw, reattaching a single disk that was previously part of a pool is
> fast... I've done this on more than one occasion where one disk drops
> out of the raidz and then shortly after I reattach it... It will
> recognize the original data, so only if new data that got written
> can't be read will you suffer a loss, but that would be a double failure
> case, and known limitation of raidz...
>
> Thanks for looking at this... I'm definately interested in making
> multi disk geli more usable...
>
> $find /dev -name "*.eli" | wc -l
>        17
>
> :)
>
> 8 (raidz data disks) + 2 (mirrored root) + 1 (swap) + 2 (cache) +
> 2 (log) + 2 (duplicates from root ada vs ad)
>

Try this in /usr/local/etc/rc.d -- it is a modification of the geli 
script and gets the password, then iterates over the disks and tries to 
attach them.  If it fails it will prompt you again (up to three times as 
does the stock code, but you can override that if you want.)  This is to 
be used in place of the geli option in /etc/rc.conf.

Place the disks in /etc/rc.conf as:

encrypt_disks="..... "

The usual geli overrides also work (since I cribbed the code), EXCEPT 
the detach-on-close -- I have had serious problems with that when a 
non-related drive detaches from the bus -- it has on multiple occasions 
caused all my geli disks to detach on the same adapter! Needless to say 
I don't set that flag any more -- I let the kernel detach them when the 
machine shuts down.

As long as the password you originally supply is good it will keep 
iterating through the list and mount them all.  Voila -- enter it once!

#!/bin/sh
#
# Copyright 2014 Karl Denninger <karl@denninger.net>
# Cribbed modified from original as below
#
# Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#

# PROVIDE: disks
# REQUIRE: initrandom
# KEYWORD: nojail

. /etc/rc.subr

name="encrypt"
start_cmd="encrypt_start"
stop_cmd="encrypt_stop"
required_modules="geom_eli:g_eli"

encrypt_start()
{

     devices=${encrypt_disks}

     echo -n 'Geli attach Password: '
     stty -echo
     read password
     stty echo
     echo

         if [ -z "${encrypt_tries}" ]; then
                 if [ -n "${encrypt_attach_attempts}" ]; then
                         # Compatibility with rc.d/gbde.
                         encrypt_tries=${encrypt_attach_attempts}
                 else
                         encrypt_tries=`${SYSCTL_N} kern.geom.eli.tries`
                 fi
         fi

     for provider in ${devices}; do
         provider_=`ltr ${provider} '/-' '_'`

         eval "flags=\${encrypt_${provider_}_flags}"
         if [ -z "${flags}" ]; then
             flags=${encrypt_default_flags}
         fi
         if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then
             echo "Geli attach ${provider}."
             count=1
             while [ ${count} -le ${encrypt_tries} ]; do
                 echo $password | geli attach -j - ${flags} ${provider}
                 if [ -e "/dev/${provider}.eli" ]; then
                     break
                 fi
                 echo "Attach failed; attempt ${count} of ${encrypt_tries}."
                 count=$((count+1))
                 if [ ${count} -gt ${encrypt_tries} ]; then
                     echo "KEY MISMATCH ERROR - Abort"
                     exit 1
                 fi
                 echo -n 'Geli attach Password: '
                 stty -echo
                 read password
                 stty echo
                 echo
             done
         else
             if [ -e "/dev/${provider}" ]; then
                 echo "${provider} is already attached."
             else
                 echo "${provider} does not exist."
             fi
         fi
     done
}

encrypt_stop()
{
     devices=${encrypt_disks}

     for provider in ${devices}; do
         if [ -e "/dev/${provider}.eli" ]; then
             umount "/dev/${provider}.eli" 2>/dev/null
             geli detach "${provider}"
         fi
     done
}

load_rc_config $name
run_rc_command "$1"


-- 
-- Karl
karl@denninger.net



[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��O0�K0�3�

0
	*�H��


0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net0
130824190344Z
180823190344Z0[10	UUS10UFlorida10UKarl Denninger1!0	*�H��

	
karl@denninger.net0�"0
	*�H��



�0�
�
��b����i՞�]�����MN�Կ���aw�x�?�`�)'�Ҵ�cWg�R@
Bl��Wh+	�u}ApdC���FJV�й���~�FOL��}��EW�^��bچY��p3�K&��ׂ��(R�
��l�xڝ.x��z?�����6��&n�s��J���+1v�9v/�(kq�Īp[�v�jc�K%f�ϻe���?iq]z����������
��lyzF��O'�ppdX//��Lw(���3����������J���IA�*��S�#�����՟��H��[f|CGqJK�o��oy��.oE�����u�Ow$��/��섀$삻J���9b�����������|����AP~8�]D1������Y�I<"�"�"Y^��T�2�iQ�2����b��	yH���)��]�	Ƶ�0y$�_N6X���q�M�C �9�՘	����X�gώj��G�T�P"�#��n���ˋ"B�k��1

���0��0	U00	`�H
��B

�0U�0,	`�H
��B

OpenSSL Generated Certificate0U|8�������˴�d�[2�0U#0�]��Af�4U3�x��&^"408	`�H
��B
+)https://cudasystems.net:11443/revoked.crl0
	*�H��


�

gB���wH]����j�\�x�`(�&��g���W�3��2�"��Uf^�.��^Iϱ�
�k!�DQ��Ag{(�w������/��)\N��'[��oRW���@��C���HO���>��)X��r�TNɘ��!�u`��xt5(��=f\-l3��<����@C��6��mn��hv�#����#�����1Ń�b�H�͍���_N�q
a�ʷ?rk���$^�9�TI�a�!�k����h��,D���-ct��1�
0�

0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net
0	+��;0	*�H��

	1	*�H��


0	*�H��

	1
140904024449Z0#	*�H��

	1�*؜�B��a�\���
n�%�0l	*�H��

	1_0]0	`�H
e
*0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net
0��*�H��

	1�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net
0
	*�H��



��m���3�T� t)�@u��ua\\>��I�ZxOb�����V�������j�$�Gd$SM�M^���+��;��,9|�Q���ʂ�w�AUļ���<K�3/��)�ޡ>tV�έa�/��Gd�9ln?��3���£�D��<�y��5[��h�'��Z42�Qp�<�s�]�����ęC�:�K6{��v�(,
5�0�=r������O�������sa�	��z��/W�tk���F&O��7����h���xN�J��_.�����?9pze�L�����i�$�fx�z��m��e�Y������p1��&���5eO%�B(�U񵦛i�W�������\Gr��ѡ����P����Z��?Sٌ���O6[���t,��B��&Go�>�
�wx"r���NSb��;t�U��t�R�K�`�	]'Z�a-���$�
d�X%X�=�`�U��}��gI�eg1���?yD��3D�(n��`j2iy:�@�1���02
] �
�J��]���xi

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5407D221.5000609>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact