Solved How to mount FreeBSD 12 GELI encrypted ZFS root manually?

Hello! I have FreeBSD 12 installation with GELI encrypted ZFS root partition (created automatically from the installer). But now, my HW died and I need to import and mount the root filesystem as external disk. How can I mount this GELI encrypted ZFS root partition manually please?

Note: In the times of FreeBSD 11, I also had some GELI encrypted ZFS root installations, but I created it completely manually myself, I had the keys backuped etc. so I knew how to do all the steps - now, I am lost a little, because all things was created by the installer.

Are the installer steps documented somewhere?
Thanks!
 

SirDice

Administrator
Staff member
Administrator
Moderator
First you need to get passed the encryption, you typically use:
geli attach -k /some/keyfile /dev/your/device

Once GELI is attached (no errors, key's correct, password etc) you'll get the *.eli device. From there you can use zfs import for example, or just zfs mount -a.
 

SirDice

Administrator
Staff member
Administrator
Moderator
I'm not entirely sure but I believe recent installers create a small unencrypted ZFS bootpool. You can import that, if I recall correctly the key is stored there.
 
... I need to import and mount the root filesystem as external disk.
Can't you boot the external disk? The BIOS/UEFI might have a boot device menu to choose which device to boot from. If not, changing the boot order in BIOS/UEFI should boot the external drive. Afterwards you can backup.
How can I mount this GELI encrypted ZFS root partition manually please?
Have a look at "mount FreeBSD encrypted ZFS from live CD AND find the root partition".
 
SirDice - small unencrypted bootpool with kernel is from times of FreeBSD 11 - now, everything (kernel, root) is on encrypted zroot and of course, there is also small (512K) bootpartition with bootloader only. That's why it's a mystery to me.
 
T-Daemon - I am just curious how to mount this encrypted partition created by FreeBSD 12 installer - if I am not able to do it, I don't know everything important about my system. Backups are another story.
 
Found it: geli attach /dev/ada0p3 is enough! No key file, only passord (prompted by GELI)! So it is easier than I thought :)
 
Top