Solved geli passphrase asked twice: on boot and afterwards

lib13

Active Member

Reaction score: 8
Messages: 138

Hi,

Previously, I only had these two lines in /etc/rc.conf:
Code:
geli_devices="ada2p1"
geli_ada2p1_flags=" -k /root/geli.key"

But due to other options, I want the passphrase to be asked during the initial phase of the boot process. So, what I did according to what I've read was to add these lines to /boot/loader.conf:
Code:
geom_eli_passphrase_prompt="YES"
geli_ada2p1_keyfile0_load="YES"
geli_ada2p1_keyfile0_type="ada2p1:geli_keyfile0"
geli_ada2p1_keyfile0_name="/boot/geli.key"

The encrypted slice (entire disk) is not root. And zfs is the filesystem of all disks.

What happens is that the passphrase is asked before the boot menu. After entering it, there's no feedback as to the key was correctly entered or not. The boot process continues up to the point where the the passphrase is asked again, as in the old configuration. Only at this point there's confirmation that the passphrase was correctly introduced and the filesystem is mounted.

So, what is wrong, what to do to have the system only ask for the initial passphrase and not the second time?
Another question: maybe I overlooked it, but where can I find documentation telling the format of the geli lines used in /boot/loader.conf? The only thing I see is in loader(8) regarding:
Code:
load_geli
.
 

tobik@

Daemon
Developer

Reaction score: 1,420
Messages: 1,909

I believe you need to add the BOOT flag to the device even if it is not the root partition (see geli(8)): geli configure -b ada2p1
 
OP
L

lib13

Active Member

Reaction score: 8
Messages: 138

I believe you need to add the BOOT flag to the device (see geli(8)): geli configure -b ada2p1
But ada1p2 is just a container for data, it's not involved in the boot process. Is -b really useful for this situation?
 

tobik@

Daemon
Developer

Reaction score: 1,420
Messages: 1,909

I think so, yes. The flag just indicates to the kernel that the device needs unlocking at boot before the root partition is mounted, which I believe is what you want to do. That there is no data on it that is required for booting does not matter.

I think you can safely try this. The flag can be removed again with -B.
 
Top