I have a ZFS pool with 9 harddrives that is encrypted with GELI.
When I reboot I have to type in a password for each disk to unlock it. Typing in only one password for all harddrives is secure enough for me. But how can I do this?
I read it's possible to create a small file with keys to all the harddrives. So I tried that solution.
First I created a file with dd:
[CMD=""]dd if=/dev/zero of=/root/geli.vol bs=64k count=16[/CMD]
Then I created a memorydisk with the command:
[CMD=""]mdconfig -a -t vnode -f /root/geli.vol -u 100
[/CMD]
A new device got created as /dev/md100.
Then I encrypted and attached it with GELI
[CMD=""]geli init -s 4096 /dev/md100[/CMD]
[CMD=""]geli attach /dev/md100[/CMD]
I file system was needed so I created a filesystem
[CMD=""]newfs /dev/md100.eli[/CMD]
After that, I mounted it and copied over all the GELI keys for the harddrives.
The harddrives has been created as this(no password, only keys)
[CMD=""]geli init -P -s 4096 -K /root/geli.keys/ada0.key /dev/ada0[/CMD]
The problem now is how do I get this to work in a boot process?
In /etc/rc.conf there is this:
There is no md100 device when I boot, how can I create the md100 device from the /root/geli.vol file when the system boots?
Another question I have is if this is a good solution? Are there better alternatives?
When I reboot I have to type in a password for each disk to unlock it. Typing in only one password for all harddrives is secure enough for me. But how can I do this?
I read it's possible to create a small file with keys to all the harddrives. So I tried that solution.
First I created a file with dd:
[CMD=""]dd if=/dev/zero of=/root/geli.vol bs=64k count=16[/CMD]
Then I created a memorydisk with the command:
[CMD=""]mdconfig -a -t vnode -f /root/geli.vol -u 100
[/CMD]
A new device got created as /dev/md100.
Then I encrypted and attached it with GELI
[CMD=""]geli init -s 4096 /dev/md100[/CMD]
[CMD=""]geli attach /dev/md100[/CMD]
I file system was needed so I created a filesystem
[CMD=""]newfs /dev/md100.eli[/CMD]
After that, I mounted it and copied over all the GELI keys for the harddrives.
The harddrives has been created as this(no password, only keys)
[CMD=""]geli init -P -s 4096 -K /root/geli.keys/ada0.key /dev/ada0[/CMD]
The problem now is how do I get this to work in a boot process?
In /etc/rc.conf there is this:
Code:
geli_devices=""
geli_ada0_flags=""
Another question I have is if this is a good solution? Are there better alternatives?