GELI: Using one keyfile for serveral partitions in loader.conf

T

tty23

Hi,

I use GEOM_ELI for 4 drives on my homeserver. I use the same keyfile for all of the partitions. However, typing in my extraordinary long password 4 times on each startup is cumbersome. Since I did not find any documentation on the geli syntax in loader.conf I could not figure out yet how to tell geli to use the same keyfile for all partitions.

Any hints on how to do that?

Part of my loader.conf:
Code: 
geom_eli_load="YES"
geli_ada1_keyfile0_load="YES"
geli_ada1_keyfile0_type="ada1:geli_keyfile0"
geli_ada1_keyfile0_name="/boot/keys/daten.key"
geli_ada2_keyfile0_load="YES"
geli_ada2_keyfile0_type="ada2:geli_keyfile0"
geli_ada2_keyfile0_name="/boot/keys/daten.key"
 
See example section of geli(8). Your config looks correct, for each drive you need to tell to use same key (copy-paste job). If you don't want to type password 4x times, either don't use passwords, or, use passwords for HDD's with most important info.
 
Yep the config works, the question was indeed how to make it work without typing the password 4 times.

Isn't there any way to use at least one keyfile for all partitions?
 
tty23 said:
Yep the config works, the question was indeed how to make it work without typing the password 4 times.

Isn't there any way to use at least one keyfile for all partitions?
Click to expand...

Keyfile and passphrase are 2 different things.
 
AFAIK currently you can't type 1 passphrase so that it would work for all drives.... However It would be nice feature to have.....
 
My hope was, that if I could use the keyfile for all partitions, I would have to type in the password for that keyfile only once.

Anyway, thanks for the clarification!

Indeed the 1 password for a number of keyfiles would be a nice feature :)
 
Again keyfiles and passphrases are different things. You can use keyfiles or passphrase or both. Passphrases are not tied to keyfiles (and wise-versa). Both passphrases and keyfiles are tied to HDD.
 
You can, I've done this :)

Basically you create a mini file which acts as a seperate encrypted filesystem. In this file you have the keys for the other devices.

I've created a rc script that looks like this:
Code: 
#!/bin/sh

# PROVIDE: gelikeys
# BEFORE: LOGIN
. /etc/rc.subr

name="gelikeys"
rcvar=${name}_enable
start_cmd="${name}_start"
stop_cmd=":"

gelikeys_start()
{
        echo "Unlocking encrypted drives."
        mdconfig -a -t vnode -f /root/keys.geli -u 100
        geli attach /dev/md100
        mount /dev/md100.eli /root/keys
        geli attach -p -k /root/keys/gelikeys.key /dev/label/93472
        geli attach -p -k /root/keys/gelikeys.key /dev/label/18885
        geli attach -p -k /root/keys/gelikeys.key /dev/label/8ABYQ
        geli attach -p -k /root/keys/gelikeys.key /dev/label/58198
        geli attach -p -k /root/keys/gelikeys.key /dev/label/63313
        geli attach -p -k /root/keys/gelikeys.key /dev/label/27794
        geli attach -p -k /root/keys/gelikeys.key /dev/label/85583
        geli attach -p -k /root/keys/gelikeys.key /dev/label/54776
        geli attach -p -k /root/keys/gelikeys.key /dev/label/89S1P
}

load_rc_config $name
run_rc_command "$1"
 
If GELI partitions are encrypted with keyfiles, which are encrypted by passpharse, and you use a same keyfile for encrypting four partitions, wouldn't decrypting a keyfile once provide a mechanism to decrypt all four partitions instantly? If it can't be specified in GELI commands then GELI doesn't know that four partitions are using same keyfile, and tries to load/decrypt same keyfile 4 times in a row.

Workaround would be to use keyfile/passpharse for root partition, and for all other partitions use non-passpharsed keyfiles contained somewhere on root partition.
 
I have the same problem:
da1p4 AES with password
da1p5 Blowfish password + key
olav said:
Basically you create a mini file which acts as a seperate encrypted filesystem. In this file you have the keys for the other devices.

I've created a rc script that looks like this:
Click to expand...
Where I need to put this script? Can you please write a mini tutorial here? :)
 
Your own RC script files should be placed under the /usr/local/etc/rc.d/ folder
And in /etc/rc.conf you add it with
Code: 
gelikeys_enables="YES"

Sorry for reviving an old thread, but information was missing
 
You must log in or register to reply here.
Back
Top