Solved geli passphrase asked twice: on boot and afterwards

[lib13]

Hi,

Previously, I only had these two lines in /etc/rc.conf:

geli_devices="ada2p1"
geli_ada2p1_flags=" -k /root/geli.key"

But due to other options, I want the passphrase to be asked during the initial phase of the boot process. So, what I did according to what I've read was to add these lines to /boot/loader.conf:

geom_eli_passphrase_prompt="YES"
geli_ada2p1_keyfile0_load="YES"
geli_ada2p1_keyfile0_type="ada2p1:geli_keyfile0"
geli_ada2p1_keyfile0_name="/boot/geli.key"

The encrypted slice (entire disk) is not root. And zfs is the filesystem of all disks.

What happens is that the passphrase is asked before the boot menu. After entering it, there's no feedback as to the key was correctly entered or not. The boot process continues up to the point where the the passphrase is asked again, as in the old configuration. Only at this point there's confirmation that the passphrase was correctly introduced and the filesystem is mounted.

So, what is wrong, what to do to have the system only ask for the initial passphrase and not the second time?
Another question: maybe I overlooked it, but where can I find documentation telling the format of the geli lines used in /boot/loader.conf? The only thing I see is in loader(8) regarding:

load_geli

.

 

[tobik@]

I believe you need to add the BOOT flag to the device even if it is not the root partition (see geli(8)): geli configure -b ada2p1

 

[lib13]

I believe you need to add the BOOT flag to the device (see geli(8)): geli configure -b ada2p1

But ada1p2 is just a container for data, it's not involved in the boot process. Is -b really useful for this situation?

 

[tobik@]

I think so, yes. The flag just indicates to the kernel that the device needs unlocking at boot before the root partition is mounted, which I believe is what you want to do. That there is no data on it that is required for booting does not matter.

I think you can safely try this. The flag can be removed again with -B.