I posted a different thread a couple days ago in the Installation subforum because I was looking for assistance in coming up with a way to create a second encrypted ZFS pool during installation which would be unlocked automatically without having to enter ten passwords in a row. I didn't get any responses but fortunately I believe I've worked out a solution - instead of that thread I thought I would open a fresh one here because now I'm just wanting input on whether what I'm doing is actually a good idea or not (it seems to be but I want to be sure). I've mostly figured this out through trial and error rather than just following someone more knowledgeable's instructions, so I could just be completely off base with all this.
What I've done is create a keyfile:
Then formatted each disk utilizing the key:
Then add to rc.conf:
Then the second zfs pool is created on the devices:
A normal strong password is used during boot to unlock the OS pool, and then the key is available on that pool to unlock the second pool with no additional password required.
For the real server (this is all virtualized testing before applying it to the real server), I'll use a separate keyfile for each device, and possibly a much larger file (I see no reason not to use a 100MB or even 1GB file instead of the 10MB that I am testing with).
I'm also not sure if I should be using -K instead of -J, or if it matters.
It all seems to work in the virtual environment. The server boots up, the xyz harddrives all unlock automatically, my secondary pool imports, and I'm where I want to be. Am I overlooking any security holes here? Is my 10M keyfile adequate without a passphrase? Am I just completely missing something here and this whole thing is wrong?
What I've done is create a keyfile:
# dd if=/dev/urandom of=/root/testkey bs=1M count=10
Then formatted each disk utilizing the key:
# geli init -l 256 -J /root/testkey xyz1 xyz2 xyz3 xyz4
Then add to rc.conf:
Code:
geli_device="/dev/xyz1 /dev/xyz2 /dev/xyz3 /dev/xyz4"
geli_xyz1_flags="-j /root/testkey"
geli_xyz1_flags="-j /root/testkey"
... (and so forth for each xyz device)
Then the second zfs pool is created on the devices:
# geli attach -j /root/testkey xyz1 xyz2 xyz3 xyz4
# zpool create secondary raidz2 xyz1.eli xyz2.eli xyz3.eli xyz4.eli
A normal strong password is used during boot to unlock the OS pool, and then the key is available on that pool to unlock the second pool with no additional password required.
For the real server (this is all virtualized testing before applying it to the real server), I'll use a separate keyfile for each device, and possibly a much larger file (I see no reason not to use a 100MB or even 1GB file instead of the 10MB that I am testing with).
I'm also not sure if I should be using -K instead of -J, or if it matters.
# geli init -l 256 -p -K /root/testkey xyz1 xyz2
seems to accomplish much the same thing, but I went with J since it doesn't require the -P/-p options (it also takes longer to initialize which *feels* safer even though that bit is probably only in my mind). Reading the manpage I wasn't totally clear on the difference between these two approaches, if any. (edit: looking at it more closely I think I understand the difference now. I didn't understand that the -J option was literally just the same as the passphrase you enter when prompted normally, so I've now adapted to combine the two options instead of picking one or the other).It all seems to work in the virtual environment. The server boots up, the xyz harddrives all unlock automatically, my secondary pool imports, and I'm where I want to be. Am I overlooking any security holes here? Is my 10M keyfile adequate without a passphrase? Am I just completely missing something here and this whole thing is wrong?