Today I upgraded one of my FreeBSD NAS servers from 14.4-RELEASE to 15.0-RELEASE, which worked fine, but after upgrading the userland and rebooting, the system never came back online.
After connecting a keyboard and monitor, FreeBSD now seems to prompt you to enter the encryption key of encrypted datasets with the ZFS property
This results in the boot process halting indefinitely, until you a) manually enter the passphrase, or b) manually press Ctrl + C, which makes the system unaccessible via SSH.
The changes responsible for this behavior are located in the function
Function in 14.4-RELEASE:
Function in 15.0-RELEASE:
Is there a way to make FreeBSD ignore encrypted datasets at boot again, like in previous releases, instead of halting boot indefinitely?
Alternatively, it would be nice of there was a timeout of some sort, but I guess I have to write a PR for that?
After connecting a keyboard and monitor, FreeBSD now seems to prompt you to enter the encryption key of encrypted datasets with the ZFS property
keylocation:promt, instead of skipping them and displaying an error message.This results in the boot process halting indefinitely, until you a) manually enter the passphrase, or b) manually press Ctrl + C, which makes the system unaccessible via SSH.
The changes responsible for this behavior are located in the function
unlock_fs() in the script /etc/rc.d/zfskeys and are not mentioned in the 15.0 release notes at all.Function in 14.4-RELEASE:
Code:
unlock_fs()
{
local fs="$1"
local kl="$2"
local k="${kl##file://}"
if [ "$k" ] && [ -f "$k" ] && [ -s "$k" ] && [ -r "$k" ]; then
if [ "$(zfs get -Ho value keystatus "$fs")" = 'available' ]; then
echo "Key already loaded for $fs."
elif keytest=$(zfs load-key -n -L "$kl" "$fs" 2>&1); then
echo "Loading key for $fs from $kl.."
if ! keyload=$(timeout $zfskeys_timeout zfs load-key -L "$kl" "$fs"
2>&1) ; then
if [ $? -eq 124 ]; then
echo "Timed out loading key from $kl for $fs"
else
echo "Failed to load key from $kl for $fs:"
echo "$keyload"
fi
fi
else
echo "Could not verify key from $kl for $fs:"
echo "$keytest"
fi
else
echo "Key file $k not found, empty or unreadable. Skipping $fs.."
fi
}Function in 15.0-RELEASE:
Code:
unlock_fs()
{
local fs="$1"
local kl="$2"
local k="${kl##file://}"
if [ "$kl" == "prompt" ]
then
echo "Key prompt for $fs."
if zfs load-key -L "$kl" "$fs" < /dev/tty > /dev/tty 2>/dev/tty ; then
echo "Key loaded for $fs."
else
echo "Key failed to load for $fs."
fi
elif [ "$k" ] && [ -f "$k" ] && [ -s "$k" ] && [ -r "$k" ]; then
if [ "$(zfs get -Ho value keystatus "$fs")" = 'available' ]; then
echo "Key already loaded for $fs."
elif keytest=$(zfs load-key -n -L "$kl" "$fs" 2>&1); then
echo "Loading key for $fs from $kl.."
if ! keyload=$(timeout $zfskeys_timeout zfs load-key -L "$kl" "$fs"
2>&1) ; then
if [ $? -eq 124 ]; then
echo "Timed out loading key from $kl for $fs"
else
echo "Failed to load key from $kl for $fs:"
echo "$keyload"
fi
fi
else
echo "Could not verify key from $kl for $fs:"
echo "$keytest"
fi
else
echo "Key file $k not found, empty or unreadable. Skipping $fs.."
fi
}Is there a way to make FreeBSD ignore encrypted datasets at boot again, like in previous releases, instead of halting boot indefinitely?
Alternatively, it would be nice of there was a timeout of some sort, but I guess I have to write a PR for that?