Re: geli keyfile arguments / gpt partitions

In reply to: Georg Bege : "geli keyfile arguments / gpt partitions"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: John-Mark Gurney <jmg_at_funkthat.com>
Date: Mon, 14 Feb 2022 23:29:55 UTC
Georg Bege wrote this message on Tue, Feb 01, 2022 at 20:06 +0100:
> Hello mailing list,
> 
> Im trying to realize a specific encrypted setup on my FreeBSD machine at 
> home.
> 
> For now I've a raidz2 pool, which did contain root - however it doesnt 
> boot anylonger.
> 
> I have a dedicated SATA disk with UEFI boot code and /boot data, so this 
> works and I can bootup.
> 
> What I wanted to do now is now encrypt the devices of the pool,
> 
> which should work in general because I can boot the kernel and thus the 
> kernel should be able to decrypt the required disk devices.
> 
> 
> My issue is now that if I find anything on google etc, all examples want 
> me to put the keyfile on /boot and then provide it as an argument like:
> geli_<device>_keyfile0_name="/boot/encrypted.key"
> 
> This is something I dont want to do, instead I'd prefer that I put the 
> keyfile data on a single gpt partition of an usb stick of my choice -
> 
> I can reach this device whenever I boot up... however it seems I can not 
> provide a /dev/... device just like this as an argument.
> 
> I dont even know if the kernel is able to read raw data from a gpt 
> partition... but well why not? It should be possible?
> 
> 
> Has anyone a clue how to archive this or which arguments I need to provide?

I wrote a custom rc.d script to handle this.

The core is:
cd /<keydir> &&
	for i in *.key; do
		geli attach -p -k "$i" "label/${i%.key}"
		geli attach -p -k "$i" "gpt/${i%.key}"
	done

I now relize I could do a if [ -c <dev> ] before each so I don't get
the error message, but I wrote this a LONG time ago, and it wasn't a
big deal to [not] see the error messages on boot...

and before the above, I have code that mounts the device w/ the keys on
it..

the -p is necessary in addition to the -k:
                    -k keyfile         Specifies a file which contains the
                                       keyfile component of the User Key (or
                                       part of it).  For more information see
                                       the description of the -K option for
                                       the init subcommand.

                    -p                 Do not use a passphrase as a component
                                       of the User Key.  Cannot be combined
                                       with the -j option.

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."