Unlock GELI on boot with USB stick

[tOsYZYny]

My system is encrypted with GELI and uses the AUTOZFS partition schema. I can successfully boot up without issues.

I would like to make a backup system that boots up with a USB key, and then after booted, I will remove the USB key. The backup system is completely headless, but if needed, I could attach a monitor. I do not keep it on all the time and only turn it on when doing backups and don't want to mess with plugging in a keyboard and trying to guess when to enter the password, etc.

For me to be able to boot the system presently, I must first enter the GELI passphrase. Is it possible to configure it to look for a USB drive and use that key?

 

[freezr]

I have the same request.
I understood that is possible however it would be helpful to expand this on the documentation as well.

So far I understood that is possible to store a passphrase and a key to a separate slot (0 and 1), 0 should be by default the passphrase and 1 the one empty.

T

Other Post in thread 'Seeking Advice on GELI Encryption Settings'

Feb 1, 2025

Hmmm, geli already allows two keys. I wonder whether the mode is allowed where one is a passphraseless file and one is based on a passphrase.

Such a scenario is not possible with geli(8).

Luks on Linux allows it, you can use both keys and passphrase, the one that is provided first will unlock the encryption.

@ cracauer@, actually it's possible to use two different user keys (passphrases / key file(s)) for the same provider to decrypt the provider with one or the other user key. I didn't realize until recent...

• T-Daemon

• 

What I did not understand even reading the geli man page so far is:

1. How to create the key from the given passphrase
2. Which command I should use to inoculate the key

I am pretty sure that there are many other things I haven't understood about this topic but I don't have them on top of my mind now.

Thanks...

 

[T-Daemon]

My system is encrypted with GELI and uses the AUTOZFS partition schema.
...
For me to be able to boot the system presently, I must first enter the GELI passphrase. Is it possible to configure it to look for a USB drive and use that key?

That's not possible. The loader (for BIOS or UEFI) can identify if a geli(8) GELIBOOT flagged provider(s) is present and prompt for a passphrase, but the loader can't read a key file from a USB drives file system.

To read the file, the file system in which the key file is stored must be mounted. To mount the file system a kernel must be booted, the USB device driver, the file system driver loaded first.

The backup system is completely headless, but if needed, .... I do not keep it on all the time and only turn it on when doing backups

I had an idea regarding freezr reservations having a unencrypted system on disk:

It would be cool to directly unlock GELI remotely from SSH, unfortunately it is not yet possible, having two system side-by-side looks to me inconvenient and risky.

If the system is not turned on all the time, one could use 34.10. Diskless Operation with PXE like: Set the server to boot via PXE, Wake-on-Lan server, PXE bootstraps OS from client machine, attach geli(8) provider, change the root filesystem. To keep the client machine tight, the whole PXE environment setup could also be in a jail or VM.

But this requires removing the GELIBOOT flag from the provider, there will be no passphrase prompted when the machine is powered on. This setup relies on a separate OS, when not from PXE then from a USB device, for example.



Another thought: Can with remotely dropbaer ssh unlocked LUKS encrypted systems boot GRUB? Seemingly there is FreeBSD geli support with the "cryptoboot" command.

IXsystems PC-BSD had years ago apparently developed something on this topic.

. https://grub-devel.gnu.narkive.com/Bwmk2H6z/patch-to-support-geli-passphrase-passthrough

Setting something like set kFreeBSD.kern.geom.eli.passphrase=<passphrase> in the GRUB boot environment.

 

[T-Daemon]

So far I understood that is possible to store a passphrase and a key to a separate slot (0 and 1), 0 should be by default the passphrase and 1 the one empty.

That's not the case. When a geli provider is initialized, whatever method you choose, booth slots store the user key(s), not only one and the other one remains empty.

What I did not understand even reading the geli man page so far is:

1. How to create the key from the given passphrase
2. Which command I should use to inoculate the key

geli  init  -l 256  -s 4096 <provider>
Enter passphrase:

The passphrase user key is stored ase Master Key Copies in slot 0 and 1.

dd  if=/dev/random  of=gelikey  bs=32k  count=1

geli setkey -n 1 -P -K gelikey <provider>

A new user key (Master Key Copy) from a key file with no passphrase component is stored in slot # 1,
overwriting the passphrase user key in that slot.

Now, this provider can be unlocked with one or the other user key separately .

 

[freezr]

T-Daemon I deeply apology for my dumbness...

I can ignore this command: geli init -l 256 -s 4096 <provider> ; because it was created during the installation. Is it correct?

What I must do is to create the key with these commands:

dd  if=/dev/random  of=gelikey  bs=32k  count=1
geli setkey -n 1 -P -K gelikey <provider>

Now the word provider really confuses me... Anyway what is supposed to be my provider?

geom -t
Geom                                                 Class      Provider
ada0                                                 DISK       ada0
  ada0                                               DEV       
  ada0                                               PART       ada0p1
    ada0p1                                           DEV       
    ada0p1                                           LABEL      gpt/efiboot0
      gpt/efiboot0                                   DEV       
      msdosfs.gpt/efiboot0                           VFS       
  ada0                                               PART       ada0p2
    ada0p2                                           DEV       
    ada0p2                                           LABEL      gpt/gptboot0
      gpt/gptboot0                                   DEV       
  ada0                                               PART       ada0p3
    ada0p3                                           DEV       
    ada0p3.eli                                       ELI        ada0p3.eli
      ada0p3.eli                                     DEV       
      swap                                           SWAP      
  ada0                                               PART       ada0p4
    ada0p4                                           DEV       
    ada0p4.eli                                       ELI        ada0p4.eli
      ada0p4.eli                                     DEV       
      zfs::vdev                                      ZFS::VDEV

I guess it should be ada0p4.eli... so it would be: geli setkey -n 1 -P -K gelikey ada0p4.eli ; is this correct?

Last but not least, "now" that I have my key on a thumb drive how I can use it to unlock the PC at boot without using the keyboard?

Thanks...

 

[T-Daemon]

T-Daemon I deeply apology for my dumbness...

Don't be too hard on yourself. Manual pages sometime are not easy, or even impossible to understand for someone not familiar with the system and terminology. After years of using FreeBSD, I still have trouble understanding many manuals.

I can ignore this command: geli init -l 256 -s 4096 <provider> ; because it was created during the installation. Is it correct?

Yes, that's correct.

Now the word provider really confuses me... Anyway what is supposed to be my provider?

For simplicity, the term “provider” refers to the "container" that is to be encrypted (the accurate term is GEOM provider, see here for technical explanation).

I guess it should be ada0p4.eli... so it would be: geli setkey -n 1 -P -K gelikey ada0p4.eli ; is this correct?

No! That device with the .eli suffix is not the encrypted provider ("container"), ada0p4 is. The device with the .eli suffix is the decrypted provider and is only created when the encrypted provider is attached.

Last but not least, "now" that I have my key on a thumb drive how I can use it to unlock the PC at boot without using the keyboard?

If you mean unlocking the encrypted Root-on-ZFS? That's not possible as I explained in post # 3, first paragraph.

A unencrypted system is needed to reboot -r (change the root file system).

This unencrypted system can be a on a partition, disk, or USB stick on the same machine. It should also be possible bootstrapping a system via PXE, if an unencrypted system on the same machine as the encrypted system is not wanted .