GELI Passphrase for disk0p4 on BTX loader - Bad GELI key: -1 with correct passphrase
Allan Jude
allanjude at freebsd.org
Fri May 6 14:36:48 UTC 2016
On 2016-05-06 07:38, Miguel C wrote:
> Hi,
>
> In recent current build BTX loader now prompts for a geli passphrase, but
> typing the correct passphrase always fails.
It is not the BTX loader, but 'boot2' (gptzfsboot)
>
> After the 2 trys I get to the next part where loader.conf is loaded and I
> am prompted again for a GELI Passphrase (I have geom_eli_passphrase_prompt
> set to "YES") this is the one that's saved to be used later and it does
> work.
>
> The main diference seems to be the first one is trying to decrypt disk0p4,
> while the other is doing it for "ada0p4" which should mean the same thing
> for geli (I think) but they are not.
This is because device names have not been assigned yet
>
> I've misstyped the passphrase on purpose in the second prompt and let it do
> the normal boot until it tries to attach the devices and ask for a
> passphrase for ada0p4, should like the "old days" and if I fail here 3
> times it then swtichs to "disk0p4" or "DISKIDblahblah" and all of this fail
> with a correct passphrase.
>
> I've uses FreeBSD installer with ZFS + GELI to do this and it seems geli
> only knows how to decrypt "ada0..." but nothing else, probably due to how
> its was created, or maybe its by design...
>
> Anyway for me it works great if I get asked the passphrase when loader.conf
> quicks in, and use it later.
>
> But I am curious about the BTX loader prompt... even if it did work for
> disk0p4 how will it load the keyfile? I can type the passphrase but it
> wouldn't know about the keyfile or be able to access it.
>
It does not currently support loading key files, and that is why it did
not work.
This change was committed a while ago, and has since been protected
behind a new GELI flag, so you have to specifically turn this feature
(prompting for the passphrase in gptzfsboot, which allows you to boot
without having to have an unencrypted /boot) on.
If you upload your source to a more recent -current, and install that
version of gptzfsboot and /boot/zfsloader, this should stop happening to
you.
In the future, the plan is for gptzfsboot to support loading your key
file from a new dedicated partition type, freebsd-gelikey
> Thanks
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
>
--
Allan Jude
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20160506/82452bd4/attachment.sig>
More information about the freebsd-current
mailing list