Other Encrypted HDD - adding keyfile

N

natharran

Hello all,

This question is going to be an easy one. I have geli(8) encrypted HDD and I use a password to unlock it on boot (encrypted root resides there). I would like to use a keyfile because I'm simply too lazy to write the password every time. Since this is going to be my first attempt I would like to ask you guys whether the following procedure is correct, because I don't want to make something seriously wrong and have to reinstall entire system.

Let's assume the UFS parition on my USB stick containing the keyfile is recognized as da1p2 and is currently mounted to /mnt/tmp.

# geli setkey -P -K /mnt/tmp/key.file /dev/ada0
# echo 'geli_ada0_keyfile0_load="YES"' >> /boot/loader.conf
# echo 'geli_ada0_keyfile0_type="ada0:geli_keyfile0' >> /boot/loader.conf
# echo 'geli_ada0_keyfile0_name="da1p2:/key.file"' >> /boot/loader.conf

Is this correct? Thank you very much.
 
I haven't heard of using geli through /boot/loader.conf.
I've added .eli inside /etc/fstab behind each slice or partition. Something like
Code: 
da1p2.eli    /mnt/tmp  ufs  rw,noauto  1  1
Then again, this is a simple way to encrypt filesystems, usually swap, without a password. Someone else will have to answer.
 
Hi sidetone,

Thanks for your reply. I'm not sure, however, that we're talking about the same thing. I'm talking about unlocking an encrypted hard drive during the boot process automatically before even a root partition is mounted (since it resides there), which takes place before any fstab rules are taken care of. If the disk / partition geli header only needs a plaintext password to unlock it, it is sufficient to add:

geom_eli_load="YES"

into /boot/loader.conf so the encrypted disk is correctly recognized and I'm prompted for the password. If you need to unlock it using a keyfile, you, of course, must specify the location of such a keyfile. The geli() manual is quite clear on that (see the Examples section).

Also, fstab rules are irrelevant here because I have root in ZFS pool on 2 mirrored HDDs, I simplified the matter for the sake of my question (true, I have fstab rules for /boot and swapfile, but that's also irrelevant here).

So I only want to make sure that I understand the geli() manual correctly and won't render my system unbootable via some stupid mistake (specifically whether the "type" and "name" parameters are ok).

Anyway, thanks for your time :).
 
All right,

I tried it, added the keyfile to geli headers so I can now unlock the encrypted drive with plaintext password OR the keyfile. The only problem is that my USB stick is recognized too late during boot process. The encrypted HDD is recognized first and, since there is no USB stick available yet, I'm simply prompted for the plaintext password.

What now? Any workaround for this?

Thank you.
 
OK, there is another problem.

The loader.conf directives from the first post are working fine. I temporarily placed the keyfile to /boot, adjusted the directives and the system loads the key and tries to use it during boot. Unfortunately, it doesn't care that the keyfile was added with -P option (no password used). It doesn't recognize that the keyfile isn't password protected and keeps asking for it. Hitting Enter doesn't help. (I'm sure it wants a password for the keyfile because the original password doesn't work for this.)

Moreover, if I don't type the "correct" keyfile password for 3 times it doesn't bother asking for the first (original) password, it just fails (apparently, it doesn't recognize there are more keys / passwords available). So I had to boot from FreeBSD install media and remove the keyfile directives from loader.conf this way in order to be able to boot from HDD again (using the original password).

So it seems that my only option is to type a password every time my system boots (no matter whether I use a keyfile or not) and I can forget about having the keyfile stored at some separate external storage completely (which, in my opinion, renders the keyfiles useless for this matter).

I must say that I'm surprised (and a bit angry, too) that such an advanced system as FreeBSD can't handle this thing a lot better...
 
You're using a USB as a key (keyfile); I get it now. Sorry I couldn't help you. But a quick way to boot without the FreeBSD media, if the system locks up, is to boot into single user mode, then mount with mount -u /.
If needed, the boot settings can be adjusted from loader.conf and copying the kernel directory in /boot.
It's probably better to be patient and wait for an expert to help fix the issue.
 
natharran said:
All right,

I tried it, added the keyfile to geli headers so I can now unlock the encrypted drive with plaintext password OR the keyfile. The only problem is that my USB stick is recognized too late during boot process. The encrypted HDD is recognized first and, since there is no USB stick available yet, I'm simply prompted for the plaintext password.

What now? Any workaround for this?

Thank you.
Click to expand...
I'm not sure if Thread installing-freebsd-on-geli-ufs.50570 answers your question.

kern.cam.boot_delay=
 
You must log in or register to reply here.
Back
Top