From nobody Mon Mar 13 07:46:06 2023
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PZpcp1VSvz3xKr2;
	Mon, 13 Mar 2023 07:46:18 +0000 (UTC)
	(envelope-from contact@evilham.com)
Received: from yggdrasil.evilham.com (yggdrasil.evilham.com [IPv6:2a02:2770::216:3eff:fee1:cf9])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PZpcn6jy7z4L0x;
	Mon, 13 Mar 2023 07:46:17 +0000 (UTC)
	(envelope-from contact@evilham.com)
Authentication-Results: mx1.freebsd.org;
	none
From: Evilham <contact@evilham.com>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=evilham.com; s=mail;
	t=1678693569; bh=9BuKxPGHX+YjlAZKSA2DWeWj8/s9oDa8lTrek4KZVRs=;
	h=From:To:Cc:Subject:References:In-reply-to:Date;
	b=TGiKcoXeCXT2vtHXM1XWeuFsq16NBv8YodZkeQbE5lqvUOboADcBx91Q7okNSVwOe
	 z+tNa8+yHbIgOvbszmmIJWxYaY+s+L4JqN+LYZlKkXgguVGQR+DxaI9u0zkNh2Qmpn
	 d30QFBGZ4f7TOfPbLM90DZ0F4EfmQXZmZwgnjttQ=
To: Jean-Christophe <jean-christophe@blues-softwares.net>
Cc: freebsd-questions@freebsd.org, questions@freebsd.org
Subject: Re: geli encryption on server
References: <8ef427543f851a296b4a1804764f3f5ece48225d.camel@blues-softwares.net>
In-reply-to: <8ef427543f851a296b4a1804764f3f5ece48225d.camel@blues-softwares.net>
Date: Mon, 13 Mar 2023 08:46:06 +0100
Message-ID: <01fca36fa1905197a0b5436be9f9ee112ff8@yggdrasil.evilham.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 4PZpcn6jy7z4L0x
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:196752, ipnet:2a02:2770::/32, country:NL]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-ThisMailContainsUnwantedMimeParts: N

On dg., mar=C3=A7 12 2023, Jean-Christophe wrote:

> hi,
> how can I add passphrase at boot process for don=C2=B4t ask it after=20
> all reboot ?
> regard,
> jean-christophe

As others pointed out, beware that depending on what you are=20
doing, it might render your encryption pretty much useless.
I use it to unlock other geli-encrypted drives providing just one=20
password, it's a decent compromise for me.

Answering your question with those caveats: you can do this with=20
the options:
geli_devices and geli_${PROVIDER}_flags

This is documented in rc.conf(5) and /etc/rc.d/geli, AFAICT=20
geli_${PROVIDER}_flags is not documented on rc.conf(5), if this=20
saved you time please look into adding a patch fixing that.

It can look something like in /etc/rc.conf:

geli_devices=3D"gpt/home"
geil_gpt_home_flags=3D"-pk '/secret/location/keyfile.secret'"

Note that the '/' gets replaced with a '_' when you need to=20
provide the flags.

Cheers,
--=20
Evilham