Re: geli encryption on server

Reply: Ralf Mardorf : "Re: geli encryption on server"
In reply to: Jean-Christophe : "geli encryption on server"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Polytropon <freebsd_at_edvax.de>
Date: Sun, 12 Mar 2023 22:36:48 UTC

On Sun, 12 Mar 2023 21:35:44 +0100, Jean-Christophe wrote:
> hi,
> how can I add passphrase at boot process for don´t ask it after all
> reboot ?

Please excuse my ignorance, but what is the intended use for
a passphrase that is never used? If you want encryption without
any interactive part (which _might_ weaken security, depending
on your scenario), just use a locally stored keyfile with no
protection passphrase.

You can find an example in "man geli", section EXAMPLES.

If I remember correctly, it's the -P option in combination
with the -K option... geli init -P -K <key> <device>... You
then add the location of the key file to /boot/loader.conf
and reboot; no user input will then be needed.

Keep the implications in mind: Everyone who has access to the
keyfile, especially if it is stored on the same disk as the
filesystem it will be used to encrypt, will have access to
the encrypted content after the system has successfully
booted - without requiring the thief to enter a passphrase,
because that's so covenient. ;-)

However, you _can_ use this approach with storing the keyfile
on a USB stick and remove it when the system has been started.
The USB stick only needs to be present when the system boots,
and can be stored securely when the system is running.

Or did I misinterpret your question? If yes, I'm sorry. Many
things depend on your individual intended use, typical scenario,
expected threats, and range of imagination. :-)

-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...