Key file based geli encryption for root on zfs

Hello,

The FreeBSD 10.3 installer allows encryption for Root on ZFS using a password. I would like to use keyfile instead of a password. Is it possible to do it with the installer?

I can create an encypted zfs pool manually using a shell. But I was unable to use this in the installer to do its business.

Thanks
 
Unfortunately, I couldn't get key based encryption with custom partitioning to work. Instead, i used the 'Guided ZFS' menu in the installer without encryption. Is it possible now to backup the zroot pool, create a new encrypted pool and restore the previous pool?
 
I gave this another go. The plan was to use 'Guided ZFS' With encryption, and change the key after the install (to get rid of the passphrase). After the installation was complete, changed the key using

#dd if=/dev/random of=/boot/keyfile bs=256 count=1
1+0 records in
1+0 recordes out
#geli setkey -v -k /boot/encryption.key -P -K /boot/keyfile /dev/da0p4
Note, that the master key encrypted with old key and/or passphrase may still exists ina metadata backup file
Done.
#geli setkey -v -k /boot/encryption.key -P -K /boot/keyfile /dev/da1p4
Note, that the master key encrypted with old key and/or passphrase may still exists ina metadata backup file
Done.


and then modified the loader.conf to reflect the new key and disabled the passphrase prompt

Code:
#cat /boot/loader.conf
geli_da0p4_keyfile0_name="/boot/keyfile"
geli_da1p4_keyfile0_name="/boot/keyfile"
geom_eli_passphrase_prompt="NO"

Unfortunately i still get a password prompt and the original password doesnt even work

CDosa6G.jpg


What am i doing wrong?
 
Back
Top