Hello.
I recently switched to FreeBSD desktop from GNU/Linux and I'm really happy with it, slowly finding my way around it.
My system is encrypted, with
I also have two storage USB sticks with GELI-encrypted partitions that I leave plugged most of the time and only ever access manually to copy confidential files when needed.
The issue I encountered is that once I enter my passphrase and get past Beastie, I get 'nagged' for passwords for those external drives during the storage mounting phase of the init process, with the startup ending up being stuck waiting for the passphrases for my encrypted USB providers. This also stops me from muting the process altogether with
I am therefore forced to either manually remove those external USB drives with encrypted partitions each time I boot the system and only insert them after it starts, that is unless I can find a way around it.
geli(8) mentions that setting
rc.conf(5) has the
As I mentioned before, I'd rather not decrypt those USBs automatically on boot and let them sit unencrypted, so attaching them in some automatic chain of decryption is not an option.
This leaves me with a question - can something be done? None of the other options listed on man pages above or in the rc.conf code seem like a direct solution to me. Perhaps initialising the GELI providers on the USBs with some option?
I am not attaching specifics from /etc/fstab or about the encrypted boot process, because I don't entirely understand it yet and don't want to clutter the thread with potentially useless information. I also searched the Storage forum for "geli usb" phrase and wasn't able to find anything directly relatable to my issue here.
I recently switched to FreeBSD desktop from GNU/Linux and I'm really happy with it, slowly finding my way around it.
My system is encrypted, with
geom_eli_load="YES" in /boot/loader.conf and necessary partitions listed in /etc/fstab. I enter my passphrase early on before the Beastie menu and init scripts (it's that two-stage boot process, I suppose) and it works just fine.I also have two storage USB sticks with GELI-encrypted partitions that I leave plugged most of the time and only ever access manually to copy confidential files when needed.
The issue I encountered is that once I enter my passphrase and get past Beastie, I get 'nagged' for passwords for those external drives during the storage mounting phase of the init process, with the startup ending up being stuck waiting for the passphrases for my encrypted USB providers. This also stops me from muting the process altogether with
boot_mute="YES" (which I'd prefer to do).I am therefore forced to either manually remove those external USB drives with encrypted partitions each time I boot the system and only insert them after it starts, that is unless I can find a way around it.
geli(8) mentions that setting
kern.geom.eli.tries key to 0 disables attaching providers on boot and that it should be set in /boot/loader.conf. This is not an option, because while I can decrypt the first early boot part (before Beastie and init), this setting then breaks the automatic attachment of my rootfs.rc.conf(5) has the
geli_tries key which apparently defaults to whatever is set in kern.geom.eli.tries (same key as above) sysctl variable. Setting either of those, geli_tries in /etc/rc.conf or kern.geom.eli.tries in /etc/sysctl.conf, to 0 does not break the boot process, but unfortunately does not stop the USB polling and GELI provider attachment (decryption) prompts either.As I mentioned before, I'd rather not decrypt those USBs automatically on boot and let them sit unencrypted, so attaching them in some automatic chain of decryption is not an option.
This leaves me with a question - can something be done? None of the other options listed on man pages above or in the rc.conf code seem like a direct solution to me. Perhaps initialising the GELI providers on the USBs with some option?
I am not attaching specifics from /etc/fstab or about the encrypted boot process, because I don't entirely understand it yet and don't want to clutter the thread with potentially useless information. I also searched the Storage forum for "geli usb" phrase and wasn't able to find anything directly relatable to my issue here.