From nobody Sun Mar 12 22:36:48 2023 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PZZR36fy0z3xkw5 for ; Sun, 12 Mar 2023 22:37:03 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.187]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PZZR32Hywz3FJn for ; Sun, 12 Mar 2023 22:37:03 +0000 (UTC) (envelope-from freebsd@edvax.de) Authentication-Results: mx1.freebsd.org; none Received: from r56.edvax.de ([178.5.90.214]) by mrelayeu.kundenserver.de (mreue011 [212.227.15.167]) with ESMTPA (Nemesis) id 1N6Kl7-1qdeh61mY5-016eeR; Sun, 12 Mar 2023 23:36:49 +0100 Date: Sun, 12 Mar 2023 23:36:48 +0100 From: Polytropon To: Jean-Christophe Cc: freebsd-questions@FreeBSD.org Subject: Re: geli encryption on server Message-Id: <20230312233648.15753eed.freebsd@edvax.de> In-Reply-To: <8ef427543f851a296b4a1804764f3f5ece48225d.camel@blues-softwares.net> References: <8ef427543f851a296b4a1804764f3f5ece48225d.camel@blues-softwares.net> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:RvOwDbWH41DIMhdywKFjiIVDanrqKU1Pphnf9lxCc8F0TEL5L4Y 6JB10l1zqAThoWH2b41A0uozfE98Hb85x6ucophkQXE8SqQfja7FUUJ0ZXWgd4rnnGA+Jlh yR97EcGcjqVF7k4/Xy0hCrOAK1TdvMbeH9YOiGlEXGx2IvVnjYQiyOHZVFUApadYf7EFt8R dIcw0Vm1YQ0VhOWNjGjww== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:cdeh8fnrfPc=;DczGEAyy/N85MaWQWPO0XYEHIvy qq0iq5sQFQEhbL+DsJsqLJz5VFA+KSuQWK9OMM97gysWu1+WuCTndQ4vxtzm1PLQoLawx/Nfo EedlfcKu7sR7o5RTz2bdIfe1lG7XPlPIeg7cfv3fYYLmjSk86wjJC4eXN+H30rWvJGbkOmIAn CJocTPgD+TbRpvhAlZ5tPahIBEvgJ9X1yvNswJE/++4AChOAhjyq09nxko2QgGEi6bGO73CV8 gC0uWEi4oSnL/kqbV1LEWTY4h1gyDHz70i3XcbMFMTUxlS2umcAs4TloM6cmUToRO+PERjIgJ aYgcC6xVJIaNYlGQE674/orPwvkjS54n/D7OqNWTDmEZ5PU5NEM8SZmIDTSjepjWbpN3ZC7m2 Vkj7c4F5TodheWxgxKboIW7X+ixBwpZy+t9M3R5J+9qZddXrJennDT5vnqJYxYIENlN+5IuiY CuYIJx7e24OTzRVkf3UvWjkQGO6LynERMumr4oNWY86D6eMka7JZhD2h8fqceUkJDBbK1SHko XjsOaaSK8E0X9Lj/OMjvtaOVUZOjHWS8jw5eFfzlgzmEwqbK76ECohcVXzxz9ChmvKlJdEaun UuaMXHCDeH2qJi/C1pbgl5ELPpCKZnInuwL0SYC8VSSm4QUaprq91fPgtHMCPMo7r6M2BXJ/4 8dv/qVz8o6i6q4yacYqpDo/DrTu26y7NubHrxKbW1A== X-Rspamd-Queue-Id: 4PZZR32Hywz3FJn X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On Sun, 12 Mar 2023 21:35:44 +0100, Jean-Christophe wrote: > hi, > how can I add passphrase at boot process for don=B4t ask it after all > reboot ? Please excuse my ignorance, but what is the intended use for a passphrase that is never used? If you want encryption without any interactive part (which _might_ weaken security, depending on your scenario), just use a locally stored keyfile with no protection passphrase. You can find an example in "man geli", section EXAMPLES. If I remember correctly, it's the -P option in combination with the -K option... geli init -P -K ... You then add the location of the key file to /boot/loader.conf and reboot; no user input will then be needed. Keep the implications in mind: Everyone who has access to the keyfile, especially if it is stored on the same disk as the filesystem it will be used to encrypt, will have access to the encrypted content after the system has successfully booted - without requiring the thief to enter a passphrase, because that's so covenient. ;-) However, you _can_ use this approach with storing the keyfile on a USB stick and remove it when the system has been started. The USB stick only needs to be present when the system boots, and can be stored securely when the system is running. Or did I misinterpret your question? If yes, I'm sorry. Many things depend on your individual intended use, typical scenario, expected threats, and range of imagination. :-) --=20 Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...