I have finally decided to go with FreeBSD for my server, but I'm still about to clear some questions.
I want to use ZFS in combination with GELI, which is a pretty common thing I guess since there are plenty of resources. I managed to set up an encrypted pool that works fine. There are only 2 litte questions that remain.
I currently have 10 disks. Each disk has a GPT with one freebsd-zfs partition that is labeled with diskX. Then I added the GELI layer which results in diskX.eli devices that are subsequently combined to a zfs pool.
Additionally there is a root pool which contains the OS, that is encrypted as well (set up via automated installer). The root disk is protected by a passphrase (secret) and a keyfile (public on unencrypted /boot, just as a salt). The root disk contains key files for each pool disk. So the idea is that you only have to unlock root and the other disks get unlocked after that. This should be enough for reasonable security.
The root pool get decrypted on boot via loader, the other disks I currently decrypt by running a script after the system has booted. I will automate this with a rc.d script but there might be a better solution for this. This is the reason for asking here.
The other thing I thought of, is having a secondary passphrase. I might think of something as a failsafe, since the current passphrase is only in my memory and pretty complex. So I want to add something like a long sequence of words that are random but that can be reconstructed in some way. So question is, it is possible (and reasonable) to add a second passphrase to GELI?
Thanks for your time!
I want to use ZFS in combination with GELI, which is a pretty common thing I guess since there are plenty of resources. I managed to set up an encrypted pool that works fine. There are only 2 litte questions that remain.
I currently have 10 disks. Each disk has a GPT with one freebsd-zfs partition that is labeled with diskX. Then I added the GELI layer which results in diskX.eli devices that are subsequently combined to a zfs pool.
Additionally there is a root pool which contains the OS, that is encrypted as well (set up via automated installer). The root disk is protected by a passphrase (secret) and a keyfile (public on unencrypted /boot, just as a salt). The root disk contains key files for each pool disk. So the idea is that you only have to unlock root and the other disks get unlocked after that. This should be enough for reasonable security.
The root pool get decrypted on boot via loader, the other disks I currently decrypt by running a script after the system has booted. I will automate this with a rc.d script but there might be a better solution for this. This is the reason for asking here.
The other thing I thought of, is having a secondary passphrase. I might think of something as a failsafe, since the current passphrase is only in my memory and pretty complex. So I want to add something like a long sequence of words that are random but that can be reconstructed in some way. So question is, it is possible (and reasonable) to add a second passphrase to GELI?
Thanks for your time!