GELI won't auto attach during system boot up.

B

belon_cfy

Hi,

I have a storage with ZFS on root and another ZFS pool with GELI encrypted, but the encrypted pool and drive don't work after reboot, I can't even find the .eli file been created under /dev.

Below is my loader.conf:
Code: 
zfs_load="YES"
hw.ata.wc=0
aesni_load="YES"
vfs.zfs.cache_flush_disable=1
vfs.root.mountfrom="zfs:zroot"

geom_eli_load="YES"
geli_ada0p3_keyfile0_load="YES"
geli_ada0p3_keyfile0_type="ada0p3:geli_keyfile0"
geli_ada0p3_keyfile0_name="/boot/geli/disks.key"

The drive can be manually attached with the command line.
 
Instead of geli_ada0p3_keyfile0_* entries in /etc/rc.conf, I'd try this
Code: 
geli_ada0p3_flags="-p -k /boot/geli/disks.key"

It worked for me here. Also, placing encryption keys in /boot doesn't make sense since it is not encrypted and is probably on the same physical drive.
 
marwis said:
Instead of geli_ada0p3_keyfile0_* entries in /etc/rc.conf, I'd try this
Code: 
geli_ada0p3_flags="-p -k /boot/geli/disks.key"

It worked for me here. Also, placing encryption keys in /boot doesn't make sense since it is not encrypted and is probably on the same physical drive.
Click to expand...

Hi,

The solution above doesn't work, it says
Code: 
geli_ada0p3_flags="-p -k /boot/geli/disks.key not found

By the way, since my system is fully on ZFS, so no mount point has been specified in fstab.
 
In order for the /etc/rc.d/geli to attach the encrypted devices, they have to be specified in /etc/fstab. This can be seen in the geli_make_list() function in /etc/rc.subr:
Code: 
geli_make_list()
{
        local devices devices2
        local provider mountpoint type options rest

        # Create list of GELI providers from fstab.
        while read provider mountpoint type options rest ; do
                case ":${options}" in
                :*noauto*)
                        noauto=yes
                        ;;
                *)
                        noauto=no
                        ;;
                esac

                case ":${provider}" in
                :#*)
                        continue
                        ;;
                *.eli)
                        # Skip swap devices.
                        if [ "${type}" = "swap" -o "${options}" = "sw" -o "${noauto}" = "yes" ]; then
                                continue
                        fi
                        devices="${devices} ${provider}"
                        ;;
                esac
        done < [color="SeaGreen"]/etc/fstab[/color]

        # Append providers from geli_devices.
        devices="${devices} ${geli_devices}"

        for provider in ${devices}; do
                provider=${provider%.eli}
                provider=${provider#/dev/}
                devices2="${devices2} ${provider}"
        done

        echo ${devices2}
}

As far as I can see, /etc/rc.d/geli doesn't have any special handling for the devices used for ZFS.
 
Thus, what you might try to do is adding ada0p3 to /etc/fstab with no mountpoint, no filesystem and no options specified. It should not be mounted in a standard way, but GELI should prepare ada0p3.eli for ZFS to be used later.

The output of rcorder /etc/rc.d/* indicates that GELI is started sooner than ZFS, so there should be no problem.
 
Hi

Thanks for your comment, however I would like to auto mount the GPT partition instead of adaxp3.

The following configuration in /etc/rc.conf works during startup:
Code: 
geli_devices="ada0p3 ada1p3 ada2p3 ada3p3"
geli_default_flags="-p -k /boot/geli/disks.key"
geli_autodetach="NO"

However, the following configuration with GPT doesn't work.
Code: 
geli_devices="/dev/gpt/data-disk0 /dev/gpt/data-disk1 /dev/gpt/data-disk2 /dev/gpt/data-disk3 /dev/gpt/l2arc-disk0 /dev/gpt/slog-disk0"
geli_default_flags="-p -k /boot/geli/disks.key"
geli_autodetach="NO"

I found the following error message on boot
Code: 
Configuring Disk Encryption for gpt/data-disk0.
geli: Invalid number of arguments.
Attach failed; attempt 1 of 3.
geli: Invalid number of arguments.
Attach failed; attempt 2 of 3.
geli: Invalid number of arguments.
Attach failed; attempt 3 of 3.
.....
 
Ok , I think I have figured out, the problem is due to incompatible naming on gpt. Removing dash(-) will solve the problem.

Anyway, thanks for your help.

Below is the working configuration:
Code: 
geli_devices="gpt/datadisk0 gpt/datadisk1"
geli_default_flags="-p -k /boot/geli/disks.key"
geli_autodetach="NO"
 
You must log in or register to reply here.
Back
Top