Other Mount an encrypted image disk at boot?

Hello

I created an encrypted image disk like this:

Bash:
truncate -s 1G /encrypted.img
mdconfig -at vnode -f /encrypted.img
dd if=/dev/random of=/root/encrypted.key bs=64 count=1
chmod 600 /root/encrypted.key
geli init -s 4096 -K /root/encrypted.key /dev/md0
geli attach -k /root/encrypted.key /dev/md0
newfs -j /dev/md0.eli

I mounted it manually like this:

Bash:
mdconfig -at vnode -f /encrypted.img
geli attach -k /root/encrypted.key /dev/md0
mount -o noatime /dev/md0.eli /encrypted

It works well!

So, I want to persist:

Code:
sysrc -f /boot/loader.conf geom_eli_load=YES
sysrc mdconfig_md0="-t vnode -f /encrypted.img"
sysrc geli_devices=md0
sysrc geli_md0_flags="-k /root/encrypted.key"
echo "/dev/md0.eli /encrypted ufs rw,noatime 0 0" >> /etc/fstab

At boot, GELI never ask me the passphrase of my encrypted image disk and the boot process stop when trying to mount /encrypted.

So I commented my entry in /etc/fstab file, then I reboot. Again GELI don't ask me the passphrase and when I can login, I see my md0 is well attached to /encrypted.img.

I think GELI don't ask me the passphrase because he tries to attach /dev/md0 before mdconfig. That's right?

How I can mount my encrypted image disk at boot? Anyone have an idea? It is possible?

Regards
 
I think GELI don't ask me the passphrase because he tries to attach /dev/md0 before mdconfig. That's right?
Right, I guess. As far as I know rc.conf doesn't respect a command execution order, geli attach doesn't get a md0 device to attach to.

How I can mount my encrypted image disk at boot? Anyone have an idea? It is possible?
Yes. Create a rc(8) script, e.g.:

/usr/local/etc/rc.d/mdgeli
Code:
#!/bin/sh
#
#
# PROVIDE: mdgeli

.   /etc/rc.subr

name=“mdgeli”
desc=“Create md100 geli md100”
rcvar=mdgeli_enable
command=“/opt/bin/mdgeli”

load_rc_config $name
run_rc_command “$1”
chmod 555 /usr/local/etc/rc.d/mdgeli

/opt/bin/mdgeli (I put the file in /opt to not mix with system or /usr/local/bin/ executables.)
Code:
#!/bin/sh
#
# Executed by /usr/local/etc/rc.d/mdgeli

mdconfig -u 100 /encrypted.img

#  You can omit "-at vnode -f" options, cmd "mdconfig file" is an abbreviation of those options, see mdconfig(8)

geli attach -k /root/encrypted.key /dev/md100
mount /dev/md100.eli /encrypted
chmod 555 /opt/bin/mdgeli

/etc/rc.conf
Code:
mdgeli_enable=“YES”

Reboot. During boot, the boot process will be interrupted, the passphrase asked.

PS: My knowledge about scripting is limited, it might not be elegant written, but it works, also my first rc(8) script.
 
Back
Top