GELI keys not found

B

bbzz

I'm having trouble setting geli and zfs. My root partition is on pendrive, the rest is using zfs pool over 3 disks. Master key(s) is backed up using password as well.

This is my /boot/loader.conf
Code: 
geom_eli_load="YES"
geli_ad10_keyfile0_load="YES"
geli_ad10_keyfile0_type="ad10:geli_keyfile0"
geli_ad10_keyfile0_name="/boot/keys/ad10.key"
geli_ad12_keyfile0_load="YES"
geli_ad12_keyfile0_type="ad12:geli_keyfile0"
geli_ad12_keyfile0_name="/boot/keys/ad12.key"
geli_ad14_keyfile0_load="YES"
geli_ad14_keyfile0_type="ad14:geli_keyfile0"
geli_ad14_keyfile0_name="/boot/keys/ad14.key"
...
When the system is mounting, it asks for password, which when typed is incorrect. Obviously it isn't, it must be that keys are not seen correctly.

Then I tried adding following to /boot/loader.conf
Code: 
currdev="disk1s1a"
rootdev="disk1s1a"
vfs.root.mountfrom="ufs:da0s1a"

Same thing (not surprising since it's already default..). I couldn't find in manuals if I should tweak something else.

If I use only password without random keys for encryption it works.

Any suggestions please.
 
The keyfiles are on the filesystem on top of da0s1a, so you can insert da0s1a into /etc/fstab on your pendrive. This should provide the keys inside /root during boot.

Code: 
#Device         Mountpoint      FStype  Options Dump    Pass#
da0s1a          /               ufs     rw      1       1
 
fstab is ok. And keys are in the boot directory, as specified in /boot/loader.conf.

I found what the issue is but I don't know how to solve it. I was using glabel to specify labels such as
Code: 
glabel label -v disk0 /dev/ad10
This time I didn't and it was ok.

So how do I change loader.conf to specify disk0? I couldn't find it in the manual, and I tried virtually every combination.

Thanks.
 
You need to first label device:
Code: 
glabel label disk0 ad10
then geli init the labeled device
e.g. like this
Code: 
geli init ... label/disk0
then
Code: 
geli attach ... label/disk0

That will give you a device node called /dev/label/disk0.eli, that you can use for zfs pool. Unfortunately, since you already encrypted ad10, you may have to back it up, and restore the data after you've redone it.

When above is done will also need to fix /boot/loader.conf:
Code: 
...
geli_label_ad10_keyfile0_load="YES"
geli_label_ad10_keyfile0_type="label/ad10:geli_keyfile0"
geli_label_ad10_keyfile0_name="/boot/keys/ad10.key"
...
 
bes said:
When above is done will also need to fix /boot/loader.conf:
Click to expand...

Ok, this is what I was looking for!
The rest is fine.
Will try but I bet it will work.
I knew it's just matter of fixing config file but I couldn't find anywhere what the syntax is.
Thanks!
 
fixed

Sorry for the typo!
Code: 
...
geli_label_disk0_keyfile0_load="YES"
geli_label_disk0_keyfile0_type="label/disk0:geli_keyfile0"
geli_label_disk0_keyfile0_name="/boot/keys/ad10.key"
...
fixed.
 
Hehe, yeah I ended up experimenting again. Works fine now.
I need to find a way to enter password once instead of every single disk. Password is same, keys are different.
 
You must log in or register to reply here.
Back
Top