geli not recognizing passphrase on boot (was: geli not prompting
for password on boot)
Adam Wood
aswood at gmail.com
Fri Apr 7 22:27:39 UTC 2006
Hello,
I have tried a new method using the 6.1-BETA4 ISO images.
Unfortunately, I am still not getting it to work properly. I am,
however, making slight progress, as it does ask for a passphrase at
boot.
It does not seem to recognize my passphrase, though.
Here's what I've done:
1. Booted with 6.1-BETA4 disc 1.
2. Launched Fixit with livefilesystem on CD.
3. Created symlink /dist/lib to /lib (ln -s /dist/lib /lib) and
/dist/boot/kernel to /boot/kernel (ln -s /dist/boot/kernel
/boot/kernel).
4. Loaded the geom_eli module (kldload geom_eli).
5. Initiated the geli device (geli init -b -s 4096 -l 256 /dev/ad0).
6. Attached the new geli device (geli attach /dev/ad0 -- works!).
7. Created bsdlabel on new, encrypted disk (bsdlabel -w /dev/ad0).
8. a. Set editor (export EDITOR=/dist/usr/bin/vi).
b. Partitioned new disk manually (bsdlabel -e /dev/ad0).
9. Created new filesystems (newfs /dev/ad0.elia, newfs /dev/ad0.elid,
newfs /dev/ad0.elie, newfs /dev/ad0.elif).
10. Defined a mountpoint (mkdir /crypt).
11. Mounted encrypted partitions (mount /dev/ad0.elia /crypt, mount
/dev/ad0.elid /crypt/var, mount /dev/ad0.elie /crypt/tmp, mount
/dev/ad0.elif /crypt/usr).
12. Installed base system (cd /dist/6.1-BETA4/base && export
DESTDIR=/crypt && ./install.sh).
NOTE: This did not populate /crypt/boot/kernel/ for some reason, so I
copied /dist/boot/kernel/* to /crypt/boot/kernel/).
13. tar'ed up the boot directory (cd /crypt; tar -zcvpf
/crypt/boot.tgz boot) and transfered to separate system with cdrtools
(ln -s /dist/usr/bin /usr/bin; scp boot.tgz user at host:~/).
14. On other system, I created a new directory which contains the boot
directory I copied and also an etc directory with the fstab.
15. Edited boot/loader.conf and added geom_eli_load="YES" and
kern.geom.eli.debug=1.
16. Ran mkisofs -b boot/bootcd -t /tmp/bootcd.iso /newdirectory_containingdirs.
17. Burned /tmp/bootcd.iso.
18. Rebooted with the new CD as boot device.
It prompts me for the passphrase for ad0, but when I supply it I just get:
GEOM_ELI[0]: Wrong key for ad0. Tries left: 2.
I know I'm typing it correctly, and if I boot back into the install
disc I can attach just fine. Can you think of anything that would be
causing this? Does the boot media need /lib? I don't think it does,
but perhaps I'm wrong.
For reference, here is the /etc/fstab on the media:
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0.elib none swap sw 0 0
/dev/ad0.elia / ufs rw 1 1
/dev/ad0.elie /tmp ufs rw 2 2
/dev/ad0.elif /usr ufs rw 2 2
/dev/ad0.elid /var ufs rw 2 2
Sincerely,
Adam Wood
On 4/6/06, Pawel Jakub Dawidek <pjd at freebsd.org> wrote:
> On Wed, Apr 05, 2006 at 08:33:55PM -0500, Adam Wood wrote:
> +> Hello,
> +>
> +> I've recently began researching GELI and disk-encryption altogether
> +> and have run into a problem.
> +>
> +> I've created a bootable media with the 6.0-RELEASE kernel with all the
> +> standard modules. It also has geom_eli_load="YES" in loader.conf. I
> +> also have the following /etc/fstab in the boot media:
> +>
> +> # Device Mountpoint FStype Options Dump Pass#
> +> /dev/ad0.elib none swap sw 0 0
> +> /dev/ad0.elia / ufs rw 1 1
> +> /dev/ad0.elie /tmp ufs rw 2 2
> +> /dev/ad0.elif /usr ufs rw 2 2
> +> /dev/ad0.elid /var ufs rw 2 2
> +>
> +> I created /dev/ad0.eli via the following:
> +>
> +> geli init -b -l 256 /dev/ad0
> +>
> +> and the partitions:
> +>
> +> bsdlabel -w /dev/ad0.eli
> +> bsdlabel -e /dev/ad0.eli
> +>
> +> However, when I boot, I can see that geom_eli is loaded, but it does
> +> not ever ask me for the password. I believe that is the point of the
> +> -b argument I supplied to the geli init command.
> +>
> +> When I boot I am greeted with the following error:
> +>
> +> Trying to mount root from ufs:/dev/ad0.elia
> +>
> +> Manual root filesystem specification:
> +> <fstype>:<device> Mount <device> using filesystem <fstype>
> +> eg. ufs:da0s1a
> +> ? List valid disk boot devices
> +> <empty line> Abort manual input
> +>
> +> mountroot>
> +>
> +> Any help you could provide would be much appreciated.
>
> Which FreeBSD version are you using? There could be a race in earlier
> versions where geli stops waiting for providers before they actually
> show up. You increase debug level to 1 by adding:
>
> kern.geom.eli.debug=1
>
> to the /boot/loader.conf and see when message "Tasting no more." is
> printed.
>
> This problem is fixed in 6-STABLE and will be also in 6.1-RELEASE.
>
> --
> Pawel Jakub Dawidek http://www.wheel.pl
> pjd at FreeBSD.org http://www.FreeBSD.org
> FreeBSD committer Am I Evil? Yes, I Am!
>
>
>
More information about the freebsd-geom
mailing list