Re: Order of geli "passphrase prompt" on boot

From: Miguel Clara <miguelmclara_at_gmail.com>
Date: Tue, 4 Nov 2014 19:01:09 +0000
On Tue, Nov 4, 2014 at 5:10 PM, Allan Jude <allanjude_at_freebsd.org> wrote:

> On 11/04/2014 11:17, Kris Moore wrote:
> > On 11/04/2014 10:24, Kurt Jaeger wrote:
> >> Hi!
> >>
> >>> If you don't need any USB devices to boot, you can delay their
> >>> detection by loading the modules through /etc/rc.d/kld instead
> >>> of the loader:
> >>>
> >>> fk_at_r500 ~ $grep kld /etc/rc.conf
> >>> kld_list="usb.ko usb_quirk.ko ehci.ko umass.ko"
> >> Does this really help with the GENERIC kernel ?
> >>
> >> If I add this to /etc/rc.conf and do
> >>
> >> /etc/rc.d/kld start
> >>
> >> this spews a load of errors.
> >>
> >
> > Colin added this to HEAD recently:
> >
> >
> https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293
> >
> > This will allow setting the passphrase at the boot-loader, so it doesn't
> > get prompted for again during boot. I think there was some work by
> > dteske_at_ to add this to the FreeBSD boot menus, but maybe you can use it
> > manually for now.
> >
> > We are using it in PC-BSD to supply the passphrase directly from GRUB,
> > so we only get prompted a single time.
> >
> > (Before somebody asks why we use grub)
> > We are using grub to do full-disk encryption, without a unencrypted
> > /boot, among other things :)
> >
> >
>
> Yes, as Kris mentioned, the solution is being working on here at MeetBSD
> by dteske_at_ (with some advice from jmg_at_) at the request of cperciva_at_,
> using the functionality Colin added to head for Kris to be able to do
> this for PCBSD.
>
> Hopefully this problem will be solved soon.
>
>
Seems interesting, but if I got it right, for now the boot loader still
doesn't have a way to pass this right?

Could I for example drop to prompt and set "g_eli_boot_passcache"? and ofc
in the future it would be ideal to do it from/during the boot menu.
However it should should only do it if  "root" is encrypted right (not just
if geli is loaded, cause it might not be used for root... say a user just
encrypts the /home dir, in that case having this on boot is not needed).
But if there's a way to tell the root device is encrypted at boot time,
then It would be the perfect solution indeed!

Pity is only usable with grub for now, but still nice to see its being
worked!

Thanks
Received on Tue Nov 04 2014 - 18:01:32 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:53 UTC