GELI automatic attach on boot without password prompt

[stefarossi]

Hello,

Is it possible to specify, maybe in /boot/loader.conf, the password (obviously in clear) of a GELI partition and make it attach automatically on boot, without asking for the password?

I know this would defeat the purpose of having an encrypted partition, but I no longer need the encryption, I'd just like it to be available at boot.

Thanks.

 

[fonz]

I'm not sure a password file or specifying it in a config file would be possible (although my money is on "no") but you should be able to replace the password by a keyfile: delete the current password-using key, create a random keyfile (e.g. by using dd and /dev/random) and set a new keyfile-using key.

Edit: Or perhaps just add a keyfile-using key if you're not currently using both key slots.

 

[michaelmichael]

Hi,

I am also tinkering around with geli and disk encryption and stumbled upon the following:

Chapter 18.14.2.1. Using the geli rc.d Script in the FreeBSD Manual (http://www.freebsd.org/doc/handbook/disks-encrypting.html) states, that you can use the -p flag when configuring your rc.conf for mounting encrypted disks during startup. If you do this, geli will not ask for a password.

However, it is not clear to me how the security of the encrypted drive or partition can be preserved with an option like this. The only possibility is - and I am not sure if I understood it correctly - that during the geli init <etcetc> command the parameter -P needs to be provided to enable the option for a passwordless mount during boot time for that volume. I have not tried this yet, would be great if somebody else could confirm my theory.

best,
mm