ZFS Autonomous keyfile attachment at boot doesn't work

M

miraslovski

G'day all,

I configured a zpool mirror using the outlined steps. The NFS share is working fine, and I've been able to mount it and use it without any issues. However, I need to key in the encryption password each time I start the server for each disk drive. I tried configuring the autonomous keyfile attachment at boot, but that didn't work. What should I do to get this to work without needing to enter the encryption password during the server boot process?

Code: 
Added these to /boot/loader.conf to ensure they load at boot time:
echo 'geom_eli_load="YES"' >> /boot/loader.conf
echo 'zfs_load="YES"' >> /boot/loader.conf

dd if=/dev/random of=/root/zfs-keyfile bs=64 count=1
geli init -K /root/zfs-keyfile /dev/ada0 /dev/ada1
geli attach -k /root/zfs-keyfile /dev/ada0 /dev/ada1
zpool create tank mirror /dev/ada0.eli /dev/ada1.eli
zfs create tank/mydata
zfs set compression=lz4 tank/mydata
chmod 777 /tank/mydata/

Configured the NFS Share:
sysrc nfs_server_enable="YES"
sysrc mountd_enable="YES"
sysrc rpcbind_enable="YES"
echo "/tank/mydata -maproot=root aaa.bbb.ccc.ddd/24" >> /etc/exports


Added the following to the /etc/rc.conf to support autonomous key file attachment:
echo 'geli_ada0_flags="-k /etc/zfs-keyfile"' >> /etc/rc.conf
echo 'geli_ada1_flags="-k /etc/zfs-keyfile"' >> /etc/rc.conf
echo 'geli_devices="ada0 ada1"' >> /etc/rc.conf
echo 'zfs_enable="YES"' >> /etc/rc.conf

Much appreciate any help. :)
 
miraslovski said:
What should I do to get this to work without needing to enter the encryption password during the server boot process?
Code: 
geli init -K /root/zfs-keyfile /dev/ada0 /dev/ada1
geli attach -k /root/zfs-keyfile /dev/ada0 /dev/ada1
Click to expand...
You need to initialize the disks with the geli(8) "-P" option:
Code: 
                -P                Do not use a passphrase as a component of
                                  the User Key.  Cannot be combined with the
                                  -J option.

Example:
Rich (BB code): 
geli init -P -K /root/zfs-keyfile /dev/ada0 /dev/ada1
geli attach -p -k /root/zfs-keyfile /dev/ada0 /dev/ada1
Note that this will use the weaker keylenght of 128 instead of 256 (look for option -l). Check also "-s sectorsize", see EXAMPLES in manual.


miraslovski said:
Added the following to the /etc/rc.conf to support autonomous key file attachment:
Code: 
echo 'geli_ada0_flags="-k /etc/zfs-keyfile"' >> /etc/rc.conf
echo 'geli_ada1_flags="-k /etc/zfs-keyfile"' >> /etc/rc.conf
echo 'geli_devices="ada0 ada1"' >> /etc/rc.configuration
Click to expand...

Assuming /root/zfs-keyfile and /etc/zfs-keyfile are the same key file, the latter exists under /etc:
Code: 
geli_groups="tank"
geli_tank_flags="-p -k /etc/zfs-keyfile"
geli_tank_devices="ada0 ada1"
See /etc/defaults/rc.conf for GELI disk encryption configuration example use.

Note that /etc/zfs-keyfile must be located on an encrypted filesystem and is not accessible when encrypted. A geli encrypted Root-on-UFS or Root-on-ZFS for example.


Alternatively save the key file on a USB device, attache / detach as necessary. This can be configure in different ways.

Via /etc/rc.conf, as in your setup, or via /boot/loader.conf,
Code: 
geli_da1s3a_keyfile_load="YES"
geli_da1s3a_keyfile_type="da1s3a:geli_keyfile"
geli_da1s3a_keyfile_name="/boot/keys/da1s3a.key"
See geli(8) EXAMPLES.

Via dedv.conf(5), attaching the USB device, mounting file system, executing a shell script attaching geli disks, importing pool.

Eventually on device detach exporting pool, detaching geli devices from a shell script.
 
Assuming /root/zfs-keyfile and /etc/zfs-keyfile are the same key file, the latter exists under /etc:
Click to expand...
Thanks heaps for this information. Yes, that's correct. I copied the same file to the /etc. I will follow these instructions. I have another question: I have two physical discs which I have used to create the zpool mirror. That led me to enter the encryption password twice, once for each disk. Is there a way to specify the encryption password once, regardless of the number of physical disks being used?

(Please note, my installation is not encrypted as I manually partitioned using UFS, I'm going to reinstall the OS again using ZFS.)
 
You must log in or register to reply here.
Back
Top