From owner-freebsd-geom@FreeBSD.ORG Sat Aug 25 11:48:20 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41DE2106566B for ; Sat, 25 Aug 2012 11:48:20 +0000 (UTC) (envelope-from brouci.tykadylko@seznam.cz) Received: from mxl1.seznam.cz (mxl1.seznam.cz [77.75.72.44]) by mx1.freebsd.org (Postfix) with ESMTP id 7E2B18FC19 for ; Sat, 25 Aug 2012 11:48:18 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=seznam.cz; h=In-Reply-To:Received:Date:To:From:Subject:Mime-Version:Message-Id:Content-Transfer-Encoding:Content-Type:X-Country:X-Abuse:X-Seznam-User; b=S/hjdV++CvO8OAshGjn3919WEEQi/wKe7Y4rRTTZMVfP1OG8nhX94Ww7kEDJVi8Wp g+p42jJNeC6P41FKvlgDLd78ef2Duzkdg0FEWbHzw2pRp4pzRkoceNYt8cd+gc8pRux 1Luqi8wtgcsYBuF3xQfMfNV+3R7IMNM3hJA+L3A= In-Reply-To: <503896E1.9000203@delphij.net> Received: from 100.52.broadband10.iol.cz (100.52.broadband10.iol.cz [90.177.52.100]) by email.seznam.cz (Email.Seznam.cz) with HTTP for brouci.tykadylko@seznam.cz; Sat, 25 Aug 2012 13:27:30 +0200 (CEST) Date: Sat, 25 Aug 2012 13:47:59 +0200 (CEST) To: d@delphij.net, freebsd-geom@freebsd.org From: =?us-ascii?Q?brouci=20tykadylko?= Mime-Version: 1.0 Message-Id: <3111.173.372-12526-80734053-1345895279@seznam.cz> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-Country: -- X-Abuse: abuse@seznam.cz X-Seznam-User: brouci.tykadylko@seznam.cz Cc: Subject: Re: geli remote password entering - md approach X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Aug 2012 11:48:20 -0000 > ------------ P=C3=B4vodn=C3=A1 spr=C3=A1va ------------ > Od: Xin Li > Predmet: Re: geli remote password entering > D=C3=A1tum: 25.8.2012 11:19:54 > ---------------------------------------- > It would be interesting to implement initrd alike feature in FreeBSD,= > however, but it's not totally impossible to do similar thing "right > now"-ish by using a mdroot while having it chroot into the new / with= > devfs and friends mounted, it's like a kluge but still do-able. When / is encrypted, I still have /sbin/init on encrypted partition. At= least in my current setup, when unencrypted is only /boot. Geli device= s are mounted by kernel as defined in loader.conf: geom_eli_load=3D"YES" geom_label_load=3D"YES" geom_mirror_load=3D"YES" geom_part_gpt_load=3D"YES" zfs_load=3D"YES" geli_ad4p4_keyfile0_load=3D"YES" geli_ad4p4_keyfile0_type=3D"ad4p4:geli_keyfile0" geli_ad4p4_keyfile0_name=3D"/boot/keys/boot.key" geli_ad6p4_keyfile0_load=3D"YES" geli_ad6p4_keyfile0_type=3D"ad6p4:geli_keyfile0" geli_ad6p4_keyfile0_name=3D"/boot/keys/boot.key" vfs.root.mountfrom=3D"zfs:system" If I understand it right, the md-approach would be: 0) prepare mfsroot image with kernel + zfs & geli modules and staticaly= linked dropbear (for example with http://mfsbsd.vx.sk/) 1) load mfsroot from loader.conf 2) execute kernel from mfsroot 3) execute dropbear and wait for login and geli mount done by hand (may= be similary to your rc script - dropbear can hold it's own network conf= ig) - and maybe even SCP-in the keys for both partitions, so I don't ne= ed to keep them in unencrypted /boot 4) mount the new root from encrypted filesystem 5) chroot to new root 6) execute init from encrypted root right? i'm not the sort of hacker able to modify the kernel code, so this is a= t the edge of my kung-fu.