Re: geli keyfile arguments / gpt partitions

In reply to: Georg Bege : "geli keyfile arguments / gpt partitions"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gary Jennejohn <gljennjohn_at_gmail.com>
Date: Tue, 01 Feb 2022 20:04:48 UTC

On Tue, 1 Feb 2022 20:06:06 +0100
Georg Bege <georg@bege.email> wrote:

> Hello mailing list,
> 
> Im trying to realize a specific encrypted setup on my FreeBSD machine at home.
> 
> For now I've a raidz2 pool, which did contain root - however it doesnt boot anylonger.
> 
> I have a dedicated SATA disk with UEFI boot code and /boot data, so this works and I can bootup.
> 
> What I wanted to do now is now encrypt the devices of the pool,
> 
> which should work in general because I can boot the kernel and thus the kernel should be able to decrypt the required disk devices.
> 
> 
> My issue is now that if I find anything on google etc, all examples want me to put the keyfile on /boot and then provide it as an argument like:
> geli_<device>_keyfile0_name="/boot/encrypted.key"
> 
> This is something I dont want to do, instead I'd prefer that I put the keyfile data on a single gpt partition of an usb stick of my choice -
> 
> I can reach this device whenever I boot up... however it seems I can not provide a /dev/... device just like this as an argument.
> 
> I dont even know if the kernel is able to read raw data from a gpt partition... but well why not? It should be possible?
> 
> 
> Has anyone a clue how to archive this or which arguments I need to provide?
> 

I have a geli-encrypted SSD in a USB3 enclosure and the key and
passphrase are both on a USB stick.  I use bash, so I wrote a
bash-function which mounts the stick and then cats the passphrase from
the stick, which I then copy and paste using the mouse.

In my case the SSD s always /dev/daX and the stick is always /dev/daY,
which simplifies the function.

The stick is mounted as /key.

So, basically the function does this:

1) check whether the user is root and bail out if that is not the case
2) mount /dev/daY /key
3) cat the passphrase from /key and copy/paste with the mouse
4) geli attach -k /key/your.key /dev/daX (geli prompts for the passphrase
   here)
5) mount /dev/daX.eli /your_mount_point
6) umount /key
7) clear

Once the SSD is mounted the screen is cleared and I can remove the stick.

Shouldn't be difficult to do this for a fixed disk.

-- 
Gary Jennejohn