Installing for a usually-keyboardless/monitorless system with GELI password required on boot?

For years now, I've been setting up my FreeBSD servers with GELI encrypting nearly the entire disk (except for boot stuff). Long ago I did this manually, but in recent years I've been letting the standard FreeBSD installer process do it for me. When the machine powers up, it boots as far as requesting the GELI password for the disks. I physically walk to the machine, turn on the monitor, and type in the password. This is more or less all that I use the monitor and keyboard for - barring connectivity issues or whatever, I interact with the server almost exclusively through the network. And this is the way I like it - my main goal here is to prevent the disks' data from being read if they (or the whole machine) get stolen or some such thing.

I am soon going to be setting up a new server. The machine has a VGA port that I guess I can plug a monitor into (if VGA monitors still exist, lol), and USB ports that I can plug a keyboard and a FreeBSD installer thumb drive into, so installing won't be an issue. However, after installation, for day-to-day operation, I would kind of like to not even have the keyboard and monitor physically present. So I'm wondering: Is it possible to set it up so that when the machine powers up, I can somehow access it via the network in a way such that I can enter the GELI password, instead of needing to physically go there and hook up a keyboard and monitor? If so, how?

To be clear, if possible, I'd like to still have the option to enter the password via a physical keyboard and monitor too (for "emergency" cases when the network's down or whatever).

In case it matters, I will almost certainly be waiting for the imminent release of 14.0.

Thanks in advance.
 
This is possible. I haven't done this myself (because I don't have any geli encrypted volumes), but on a forum on the internet there is this thread which talks about it...
Or you could use geliUnlocker, a bit different approach.
 
you can build a cheap ip kvm out of an arm sbc (rpi zero w+ some csi 2 hdmi adapter)

or use an arm sbc as a serial console / terminal server (still needs some rs232 to ttl adapter)

in the first version you can access even bios remotely
 
There's a recent feature zfskeys which will autoload a key if stored on a zfs dataset. You can disable it via rc.conf after you put it in a physical space you don't control. It's another option even if it doesn't meet your requirements, but you have to store the password or key somewhere for non-interactive boot.

It's documented in 13.2 and higher, rc.conf(5)

I haven't looked into how secure it is. I just found out about it reading 14.0 release notes.
 
Back
Top