geli, full disc encryption and reboot -r

I read about Geli full disc encryption, but did not like that on boot you have to sit at the console to enter the disk password. I'd like to be able to restart my home server from work after a power failure.

I googled a lot and finally found this mailing list posting:

- There is an unencrypted FreeBSD (caveat: kernel must match that of the encrypted system, care when upgrading)

- System boots into that unencrypted FreeBSD

- I access that unencrypted system over SSH

- Encrypted system is unlocked

- reboot -r is used to boot into that system (man reboot explains that quite well)

Edit: the first point of the quote is wrong, the encrypted system gets the kernel of the unencrypted system.

I wondered why I hadn't found more postings with the reboot -r pattern.

Anyway, I liked the idea, especially as the unencrypted first system is fully working and can send me an email that it needs attention and needs me to ssh in and enter the Geli password for the second system.
Of course, on booting the machine might be already sitting in burglar's home. But I could have a webcam pointing to the machine ..
Or burglar could have manipulated sshd of the first system to log my password. But, he could also manipulate the keyboard, or the keyboard driver of the boot loader, so entering the password directly in the computer does not help.

So I wanted to try this out, set up a Virtualbox and ran the FreeBSD installer.

Actually, the idea was rather easy to set up.

From the installer UI partitioned the disk, no mount point for the Geli partitions.

VirtualBox_FreeBSD Geli_18_04_2020_19_42_08.png


Code:
root@geliboot:~ # gpart show
=>      40  33554352  ada0  GPT  (16G)
        40      1024     1  freebsd-boot  (512K)
      1064   4194304     2  freebsd-ufs  (2.0G)
   4195368   4194304     3  freebsd-swap  (2.0G)
   8389672   8388608     4  freebsd-ufs  (4.0G)
  16778280  16775168     5  freebsd-ufs  (8.0G)
  33553448       944        - free -  (472K)

root@geliboot:~ # df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/ada0p2    1.9G    1.3G    537M    71%    /
devfs          1.0K    1.0K      0B   100%    /dev

Geli inited 4 and 5:

Code:
root@geliboot:~ # geli init -b -e AES-XTS -l 256 -s 4096 /dev/ada0p4
root@geliboot:~ # geli attach /dev/ada0p4

root@geliboot:~ # geli status

      Name  Status  Components

ada0p4.eli  ACTIVE  ada0p4
ada0p5.eli  ACTIVE  ada0p5

root@geliboot:~ # newfs -t -U -L rootfs /dev/ada0p4.eli

mounted it:

Code:
root@geliboot:~ # mkdir /mnt/ada0p4.eli
root@geliboot:~ # mount /dev/ada0p4.eli /mnt/ada0p4.eli/

copied the root file system:

Code:
root@geliboot:~ # rsync -av --exclude="lost+found" --exclude="mnt" --exclude="proc" --exclude="dev" /  /mnt/ada0p4.eli/

root@geliboot:~ # kenv "vfs.root.mountfrom=ufs:/dev/ada0p4.eli"
vfs.root.mountfrom="ufs:/dev/ada0p4.eli"

root@geliboot:~ # reboot -r
It actually booted into ada0p4.eli but complained about /dev

So I rebooted, mounted and mkdir'ed /dev and /proc
Also renamed the second machine to geli in its rc.conf

Next time it worked!!

geliboot still prompted for the password, and would not continue booting until I entered it. I guess I should have left the -b option.

So I removed geli from loader.conf, no more password prompt, but have to do things by hand:

Code:
root@geliboot:~ # geli load
root@geliboot:~ # geli attach /dev/ada0p4

Added swap:

Code:
root@geliboot:~ # geli onetime -d -e 3des ada0p3

root@geli:~ # cat /etc/fstab
# Device        Mountpoint      FStype  Options Dump    Pass#
#/dev/ada0p2    /               ufs     rw      1       1
#/dev/ada0p3    none            swap    sw      0       0
/dev/ada0p5.eli /data           ufs     rw      1       1
/dev/ada0p3.eli none            swap    sw      0       0
root@geli:~ # swapinfo
Device          1K-blocks     Used    Avail Capacity
/dev/ada0p3.eli   2097152        0  2097152     0%
 
I reinstalled my home server (NUC7CJYH2 Celeron J4005, 8G ram) as I had tested above in VirtualBox.
I did some performance benchmarks before and after with the DaCapo benchmark suite.

This benchmark uses diffent Java suites based on widely used applications like Tomcat, Wildfly, Eclipse, Lucene or Cassandra.

I was quite surprised that after the conversion to Geli encryption my benchmarks actually ran a little bit faster, only Lucene search (which is disk intensive) a bit slower.

Code:
java -version
openjdk version "11.0.7" 2020-04-14
..
java -jar dacapo-evaluation-git-309e1fa.jar -C tradebeans
..
===== DaCapo evaluation-git+309e1fa tradebeans PASSED in 52816 msec =====
===== DaCapo evaluation-git+309e1fa tradesoap PASSED in 9848 msec =====
===== DaCapo evaluation-git+309e1fa lusearch PASSED in 3591 msec =====
===== DaCapo evaluation-git+309e1fa cassandra PASSED in 12810 msec =====
after
Code:
java -jar dacapo-evaluation-git-309e1fa.jar -C tradebeans
===== DaCapo evaluation-git+309e1fa tradebeans PASSED in 48407 msec =====
===== DaCapo evaluation-git+309e1fa tradesoap PASSED in 9089 msec =====
===== DaCapo evaluation-git+309e1fa lusearch PASSED in 3660 msec =====
===== DaCapo evaluation-git+309e1fa cassandra PASSED in 10256 msec =====
 
Back
Top