Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 Mar 2015 20:57:53 -0500
From:      Mason Loring Bliss <mason@blisses.org>
To:        freebsd-questions@freebsd.org
Subject:   GELI key question...
Message-ID:  <20150304015753.GV3375@blisses.org>

next in thread | raw e-mail | index | archive | help
Hi all.

Right now I've got root-on-ZFS-on-GELI from the 10.x installer, but I don't
understand all the moving parts, and I'd love some pointers. In particular,
the man pages geli(8) and loader.conf(5) don't tell me what I want.

I've got an ultimate goal and a short term goal. The short term goal is to
have a key on a USB stick (maybe in a UFS2 partition, maybe just data on the
disk itself - doesn't matter) and have loader.conf reference that as the key
to unlock my root disk(s), for unattended boot as long as the USB stick is
inserted in the system.

First thing that's unclear: Where is the GELI syntax for loader.conf
documented? The GELI man page gives examples of use, but it doesn't say how
the configs are composed.

For example, it shows this:

           geli_da0_keyfile0_load="YES"
           geli_da0_keyfile0_type="da0:geli_keyfile0"
           geli_da0_keyfile0_name="/boot/keys/da0.key0"

Is the name of the variable fixed there? What's interpreting it? Would this
be valid?

           geli_foo_keyfile0_load="YES"
           geli_foo_keyfile0_type="da0:geli_keyfile0"
           geli_foo_keyfile0_name="/boot/keys/da0.key0"

The _type variable seems to specify the device to which the variable applies.
I don't know if the variable name is freeform(ish) or if the da0 needs to be
duplicated as it in in the man page's example.

More relevant, can the _name variable specify another device? If so, can I
use gpt labels for this, so that I can point to gpt/keypart? Or are those
only available once the system has booted? I'd like to not have to depend on
the USB key having the same device on each boot, and gpt labels seem ideal
for this.

Next, I don't see loader.conf specifying which slot to use. I could be
confusing the concepts... My understanding is that there is one key and a
couple slots for user keys. Is my idea of having the bootloader default to
the USB stick unless it's not there and use a file-and-passphrase already on
/boot otherwise feasible? I'm not sure how to specify an order to try, never
mind the location on another device of one of the keys.

I'm sure I've forgotten something in the midst of all this, so anything
obvious I'm missing would be greatly appreciated.

PS: I now see some of the name composition stuff in sys/boot/forth/support.4th
but I don't claim to know Forth and I'm having some trouble reading it at
present.

<cough>
    end_of_line? if 0 else letter? digit? underscore? dot? or or or then
</cough>

I should learn Forth. But anyway... Thank you kindly in advance for pointers
and help!

-- 
Mason Loring Bliss   ((  "In the drowsy dark cave of the mind dreams
mason@blisses.org     ))  build  their nest  with fragments  dropped
http://blisses.org/  ((   from day's caravan." - Rabindranath Tagore



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150304015753.GV3375>