Hi,
Thanks.
1. I have no idea how to set it up via UFS with a /boot partition, maybe you can share it, but it's not the goal of this thread, you can see.
Is it a normal UFS, but how is it mounted then? Automatically?
2. I think the difference between the key-file and password-file is that the password-file is provided on the init step, it used to set the password as a passphrase. The key-file is used in combination with the password under the hood to authenticate with GELI. If you have a combination of keyfile and password, then when your disk is stolen, the attacker must know the password and have the keyfile.
Here an example from the man page:
Initialize provider with the passphrase split into two files. The
provider can be attached using those two files or by entering “foobar” as
the passphrase at the geli prompt:
# echo foo > da0.pass0
# echo bar > da0.pass1
# geli init -J da0.pass0 -J da0.pass1 da0
# geli attach -j da0.pass0 -j da0.pass1 da0
# geli detach da0
# geli attach da0
Enter passphrase: foobar
You can decide to not use a passphrase and only use a keyfile.
3. Aha i see, some redundancy to have always a working copy and a secure device.
Best Regards,
1) There are a lot of manuals on how to do that, like
this one.
But I prefer slightly different scheme:
1. Generate keys
2. GEOM label whole disk to prevent enumeration fails
3. GELI Init of labeled disk with generated keys and -b option to search for keys on boot, use -P if you don't want it to ask you a passphrase while booting.
4. Create zfs pool and it's datasets on /dev/label/yourlabel.eli with -o altroot=/mnt , for example.
5. Create bootable USB-drive with GPT scheme, gptzfsboot in freebsd-boot partition and freebsd-ufs for /boot partition (I do this with ufs labeling, for ex. 'myufsboot')
6. Install FreeBSD to /mnt
7. Create /mnt/myboot and mount /dev/ufs/myufsboot there.
8. Copy whole /mnt/boot to /mnt/myboot
9. Rename /mnt/boot to /mnt/boot.orig
10. Create symlink in /mnt/ named boot to point to myboot/boot
11. Write to /mnt/etc/fstab:
/dev/ufs/myufsboot /myboot ufs rw 0 0
12. Copy generated keys, for example to /mnt/myboot/boot/geli.keys/{gkey1,gkey2}
13. Write to /mnt/myboot/boot/loader.conf such strings:
zfs_load="YES"
aesni_load="YES"
geom_eli_load="YES"
geli_label_yourlabel_keyfile0_load="YES"
geli_label_yourlabel_keyfile0_type="label/yourlabel:geli_keyfile0"
geli_label_yourlabel_keyfile0_name="/boot/geli.keys/gkey1"
geli_label_yourlabel_keyfile1_load="YES"
geli_label_yourlabel_keyfile1_type="label/yourlabel:geli_keyfile1"
geli_label_yourlabel_keyfile1_name="/boot/geli.keys/gkey2"
P.S. Long time ago I wrote an rc.d script, but can't find it now...it was creating memory-drive, attaching it to geom-mirror labeled /boot partition. So it was possible to remove USB-drive after mirroring completed.
2) Main difference between passphrase and key-file is that passphrase is entered interactively by operator with keyboard. When it is read from file, there is no any difference (you can write your passphrase to one of keyfiles [gkeyX, for example] if you want). If you mean -g option to geli init, then maybe you are right, but I don't know how to combine it with key-files. As far as I understand the aim of -g option is to encrypt root with /boot partition on it, but that's another story. I haven't experimented with that, but I can't entrust my whole disk encryption to just a passphrase.
3) I'm using such devices to store /boot partition for full chain of trust enforcement. Your kernel can be compromised with malware without this step. Backups should be secured also.