Geli memory device at boot

hello there!

i do create an crypted device with this commands:

Code:
dd if=/dev/urandom of=/usr/www.vol bs=1M count=100
mdconfig -a -t vnode -f /usr/www.vol -u 0
dd if=/dev/urandom of=/www.key bs=56 count=1
geli init -s 4096 -e Blowfish -l 448 -K /www.key /dev/md0 
geli attach -d -k /www.key /dev/md0
bsdlabel -w /dev/md0
newfs /dev/md0a
mount /dev/md0a /mnt
df -h

/dev/md0a            97M    4.0K     89M     0%    /mnt


how can i mount this memmory device automatic on each boot without password?!

i just want protect the data to be ripped if this harddisk is placed on slave mode in other computer!


Thanks

Luiz
 
Alt said:
Sorry, you need to encrypt memorydisk ? o_O
He still has the image stored on a local hard drive I think...

@OP: There are probably more elegant solutions, but one thing you could do is add something like the following to your /etc/rc.local:
Code:
mdconfig -a -t vnode -f /usr/www.vol -u 0
geli attach -d -k /www.key /dev/md0
mount /dev/md0a /mnt

Alphons
 
fonz said:
He still has the image stored on a local hard drive I think...
yep...

@OP: There are probably more elegant solutions, but one thing you could do is add something like the following to your /etc/rc.local:
Code:
mdconfig -a -t vnode -f /usr/www.vol -u 0
geli attach -d -k /www.key /dev/md0
mount /dev/md0a /mnt

Alphons

it will ask about the passphrase right?
 
LuizBiazus said:
it will ask about the passphrase right?
Depends on how you set things up. According to the man page (see geli(8)), the options -P and -p to # geli init and # geli attach respectively can be used to "disable" the passphrase.

[Edit:] I tried something like # echo "passphrase" | geli attach /dev/foo but that didn't work, geli(8) still asked me for a passphrase. So, I hope the options I mentioned above work for you.

Hope this helps,

Alphons
 
Alt said:
Its not possible to attach geli from rc.conf ?
As I said in my initial reply, there are probably more elegant solutions than the one I proposed. But at least it should get the OP going until he works out a better method.

Using /etc/rc.local is pretty much considered obsolete nowadays. I still use it occasionally for quick fixes, which is why I suggested it in the first place, but once the OP gets things working he should probably consider switching to a /etc/rc.d/ script if he can be bothered to do so.

I'm not sure whether what the OP wants can be done with /etc/rc.conf because he needs to do an # mdconfig first, then a # geli attach and finally a # mount. If you (or anyone else) knows how to do all that - and in the right order, too - from /etc/rc.conf, then by all means let us know how.

Alphons
 
fonz said:
As I said in my initial reply, there are probably more elegant solutions than the one I proposed. But at least it should get the OP going until he works out a better method.

Using /etc/rc.local is pretty much considered obsolete nowadays. I still use it occasionally for quick fixes, which is why I suggested it in the first place, but once the OP gets things working he should probably consider switching to a /etc/rc.d/ script if he can be bothered to do so.

I'm not sure whether what the OP wants can be done with /etc/rc.conf because he needs to do an # mdconfig first, then a # geli attach and finally a # mount. If you (or anyone else) knows how to do all that - and in the right order, too - from /etc/rc.conf, then by all means let us know how.

Alphons


key without passphrase works... but the key will be on hardisk right? so even if someone cant see my memory device
it can be copied(http://www.vol) toghether of his key once this key will be in one normal directory right!?

so there is none a secure way to use geli automatic right?
 
You can't have your cake and eat it too.

LuizBiazus said:
key without passphrase works... but the key will be on hardisk right?

Or you could put the key on a USB stick, floppy, CD or some other medium that can be ejected once the encrypted volume has been attached.

LuizBiazus said:
so even if someone cant see my memory device it can be copied(www.vol) toghether of his key once this key will be in one normal directory right!?

If the attacker knows where the keyfile is, yes.

LuizBiazus said:
so there is none a secure way to use geli automatic right?

To have any sort of encryption, you need some kind of variable (or challenge, if you like). Unless you have some of that nifty biometric scanning equipment this usually means a passphrase or a keyfile. Or both, but you need at least one.

Passphrases need to be typed in (or stored on disk, but that would essentially make them keyfiles), keyfiles need to be stored on an accessible medium (which could be removable though). You can prevent having to type a passphrase and you can prevent having a keyfile on disk, but you cannot prevent both.

It's not really a limitation in geli(8), it's the same with e.g. LUKS or TrueCrypt. It's just how (this kind of) encryption works. You need some way to specify some key somehow.

Alphons
 
Back
Top