Solved Open extra Geli disks & ZFS encrypted disks during boot

[BaronBS]

So I would like to be able to open and mount two encrypted "disks" during boot before the NFS server starts.
Can I use /etc/rc.local and /etc/rc.shutdown to open and close those disks?

Also, one disk is a geli encrypted external drive and the other it is a two disk striped pool with ZFS encryption.
The zfs one is easy, but regarding the GELI one: Is there some kind of partition uuid that I could use in a sh to open and close the geli encryption?

 

[T-Daemon]

Besides custom scripts, FreeBSD has already system files permitting attaching and mounting geli(8) providers during boot, fstab(5) for example. Assuming externel drive partition is GPT labeled and geli(8) init "gpt/externgeli"

/etc/fstab

/dev/gpt/externgeli.eli       /media/externgeli   ufs     rw,late,failok      1       1

Partition uuid's are possible to utilize, but unwieldy to use:

 % glabel list
...
Geom name: da1p1
Providers:
1. Name: gptid/6c865bf1-def0-11ef-a8d9-0800274cfdbf
...

Importing ZFS pools and mounting native encrypted datasets have also a system file: /etc/rc.d/zfskeys, but apparently that script is not functional anymore (tested on 14.1 and 14.2):

 # sysrc zfskeys_enable=YES
zfskeys_enable: NO -> YES

 # service zfskeys start
No key loaded for tank/enc.
Key file prompt not found, empty or unreadable. Skipping tank/enc..

 # zfs get all tank/enc | grep key
tank/enc  keylocation           prompt                 local
tank/enc  keyformat             passphrase             -
tank/enc  keystatus             unavailable            -

 # zfs mount -l tank/enc
Enter passphrase for 'tank/enc':

 # zfs get keystatus tank/enc
NAME      PROPERTY   VALUE        SOURCE
tank/enc  keystatus  available    -

/etc/rc.shutdown to open and close those disks

FreeBSD system files take care of detaching (and un-mounting filesystems) automatically geli(8) providers and native encrypted ZFS datasets, no need to create custom script entries.

 

[BaronBS]

Besides custom scripts, FreeBSD has already system files permitting attaching and mounting geli(8) providers during boot, fstab(5) for example. Assuming externel drive partition is GPT labeled and geli(8) init "gpt/externgeli"

/etc/fstab
/dev/gpt/externgeli.eli /media/externgeli ufs rw,late,failok 1 1

1- Does this make a prompt during boot so I can open the disk?
2- Inside the GELI there is a zpool, does the fstab import the zpool as well?

Importing ZFS pools and mounting native encrypted datasets have also a system file: /etc/rc.d/zfskeys, but apparently that script is not functional anymore (tested on 14.1 and 14.2):

Is there any alternative?

FreeBSD system files take care of detaching (and un-mounting filesystems) automatically geli(8) providers and native encrypted ZFS datasets, no need to create custom script entries.

IDK about that, every time I shutdown the note with external imported zpools that was inside a GELI, it complains about the lack of it during the next boot.

EDIT:
More context:

beastie@BattleStar-Hydra --> ~
Ψ lsblk                                                                                                                                                                      < 13:34 >  < 11,725-01-31 >  < 130 >
DEVICE         MAJ:MIN SIZE TYPE                                    LABEL MOUNT
ada0             0:118 256G GPT                                         - -
  ada0p1         0:122 260M efi                              gpt/efiboot0 /boot/efi
  <FREE>         -:-   1.0M -                                           - -
  ada0p2         0:124  35G freebsd-swap                 gpt/freebsd-swap SWAP
  ada0p2.eli     0:151  35G freebsd-swap                                - SWAP
  ada0p3         0:126 221G freebsd-zfs                   gpt/freebsd-zfs <ZFS>
  ada0p3.eli     0:132 221G zfs                                         - -
  <FREE>         -:-   660K -                                           - -
ada1             0:116 466G zfs                                         - -
ada2             0:120 466G zfs                                         - -
da0              0:149 932G MBR                                         - -
  <FREE>         -:-   512B -                                           - -
  da0s1          0:150 932G freebsd                           gpt/freebsd -
  da0s1.eli      1:219 932G zfs                                         - -
beastie@BattleStar-Hydra --> ~
Ψ zpool list -v                                                                                                                                                                < 13:41 >  < 11,725-01-31 >  < 0 >
NAME           SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
BLACKUP        928G   449G   479G        -         -     1%    48%  1.00x    ONLINE  -
  da0s1.eli    932G   449G   479G        -         -     1%  48.4%      -    ONLINE
tank0          928G  54.8G   873G        -         -     1%     5%  1.00x    ONLINE  -
  ada1         466G  27.9G   436G        -         -     1%  6.01%      -    ONLINE
  ada2         466G  26.9G   437G        -         -     1%  5.79%      -    ONLINE
zroot          220G  97.2G   123G        -         -     1%    44%  1.00x    ONLINE  -
  ada0p3.eli   221G  97.2G   123G        -         -     1%  44.2%      -    ONLINE
beastie@BattleStar-Hydra --> ~
Ψ mount                                                                                                                                                                        < 13:41 >  < 11,725-01-31 >  < 0 >
zroot/ROOT/default on / (zfs, local, noatime, nfsv4acls)
devfs on /dev (devfs)
/dev/gpt/efiboot0 on /boot/efi (msdosfs, local)
zroot/tmp on /tmp (zfs, local, noatime, nosuid, nfsv4acls)
zroot on /zroot (zfs, local, noatime, nfsv4acls)
zroot/home on /home (zfs, local, noatime, nfsv4acls)
zroot/var/log on /var/log (zfs, local, noatime, noexec, nosuid, nfsv4acls)
zroot/usr/ports on /usr/ports (zfs, local, noatime, nosuid, nfsv4acls)
zroot/usr/src on /usr/src (zfs, local, noatime, nfsv4acls)
zroot/var/audit on /var/audit (zfs, local, noatime, noexec, nosuid, nfsv4acls)
zroot/var/crash on /var/crash (zfs, local, noatime, noexec, nosuid, nfsv4acls)
zroot/var/mail on /var/mail (zfs, local, nfsv4acls)
zroot/home/beastie on /home/beastie (zfs, local, noatime, nfsv4acls)
zroot/var/tmp on /var/tmp (zfs, local, noatime, nosuid, nfsv4acls)
tank0 on /tank0 (zfs, local, nfsv4acls)
linprocfs on /compat/linux/proc (linprocfs, local)
linsysfs on /compat/linux/sys (linsysfs, local)
devfs on /compat/linux/dev (devfs)
fdescfs on /compat/linux/dev/fd (fdescfs)
tmpfs on /compat/linux/dev/shm (tmpfs, local)
BLACKUP/blackup on /media/Backup (zfs, NFS exported, local, nfsv4acls)
BLACKUP on /BLACKUP (zfs, local, nfsv4acls)
tank0/Share on /media/Share (zfs, NFS exported, local, noatime, nfsv4acls)

So ada1 and ada2 are a stripe zpool. And da0s1.eli it is a zpool inside of a GELI. ada1 and 2 are open with a zfs keyfile. da0s1 it is open with a passphrase.

 

[T-Daemon]

1- Does this make a prompt during boot so I can open the disk?

Yes, the passphrase will be prompted during boot.

2- Inside the GELI there is a zpool, does the fstab iport the spool as well?

In this case, don't use /etc/fstab, use /etc/rc.conf to attach the geli(8) provider (taking the example GPT partition label "gpt/externgeli" from post # 2).

geli_devices="gpt/externgeli"

This will prompt for the geli(8) passphrase during boot. The ZFS pool is imported automatically. Make sure not to export the pool before the host machine is shutdown/rebooted, otherwise the pool won't be imported automatically next time the machine is turned on.

geli_devices does not mind if the external drive is not connected. The start process is not delayed if this is the case.

See /etc/default/rc.conf for other geli(8) use cases.

Importing ZFS pools and mounting native encrypted datasets have also a system file: /etc/rc.d/zfskeys, but apparently that script is not functional anymore (tested on 14.1 and 14.2):

Is there any alternative?

I wrote a while ago a rc(8) script, not for general use as is zfskeys but for specific use cases (The work of a layman. I'm not exactly a shell script coder).

See if it works for you. Drop the script under /usr/local/etc/rc.d to separate it from system rc scripts. chmod 555 the script.

Slightly improved compared to the original, adapt to your needs:

#!/bin/sh
#
# PROVIDE:      zfsenc
# REQUIRE:      zpool
# BEFORE:       zfs zvol

. /etc/rc.subr

name="zfsenc"
desc="Mount automatically encrypted data sets"
rcvar="zfsenc_enable"
start_cmd="zfsenc_start"
stop_cmd="zfsenc_stop"

: ${zfsenc_enable:="NO"}

zfsenc_start()
{
        zfs load-key -L file:///root/keyfile pool/encrypted
        zfs mount pool/encrypted
}

zfsenc_stop()
{
        zfs umount -u pool/encrypted
}

load_rc_config $name
run_rc_command "$1"

IDK about that, every time I shutdown the note with external imported zpools that was inside a GELI, it complains about the lack of it during the next boot.

Under which circumstances? Do you export the pool before shutting down the machine? If that's the case, don't.

 

[BaronBS]

Yes, the passphrase will be prompted during boot.

In this case, don't use /etc/fstab, use /etc/rc.conf to attach the geli(8) provider (taking the example GPT partition label "gpt/externgeli" from post # 2).
geli_devices="gpt/externgeli"This will prompt for the geli(8) passphrase during boot. The ZFS pool is imported automatically. Make sure not to export the pool before the host machine is shutdown/rebooted, otherwise the pool won't be imported automatically next time the machine is turned on.

geli_devices does not mind if the external drive is not connected. The start process is not delayed if this is the case.

See /etc/default/rc.conf for other geli(8) use cases.

Worked perfectly, thanks.