On 2016-05-06 07:38, Miguel C wrote: > Hi, > > In recent current build BTX loader now prompts for a geli passphrase, but > typing the correct passphrase always fails. It is not the BTX loader, but 'boot2' (gptzfsboot) > > After the 2 trys I get to the next part where loader.conf is loaded and I > am prompted again for a GELI Passphrase (I have geom_eli_passphrase_prompt > set to "YES") this is the one that's saved to be used later and it does > work. > > The main diference seems to be the first one is trying to decrypt disk0p4, > while the other is doing it for "ada0p4" which should mean the same thing > for geli (I think) but they are not. This is because device names have not been assigned yet > > I've misstyped the passphrase on purpose in the second prompt and let it do > the normal boot until it tries to attach the devices and ask for a > passphrase for ada0p4, should like the "old days" and if I fail here 3 > times it then swtichs to "disk0p4" or "DISKIDblahblah" and all of this fail > with a correct passphrase. > > I've uses FreeBSD installer with ZFS + GELI to do this and it seems geli > only knows how to decrypt "ada0..." but nothing else, probably due to how > its was created, or maybe its by design... > > Anyway for me it works great if I get asked the passphrase when loader.conf > quicks in, and use it later. > > But I am curious about the BTX loader prompt... even if it did work for > disk0p4 how will it load the keyfile? I can type the passphrase but it > wouldn't know about the keyfile or be able to access it. > It does not currently support loading key files, and that is why it did not work. This change was committed a while ago, and has since been protected behind a new GELI flag, so you have to specifically turn this feature (prompting for the passphrase in gptzfsboot, which allows you to boot without having to have an unencrypted /boot) on. If you upload your source to a more recent -current, and install that version of gptzfsboot and /boot/zfsloader, this should stop happening to you. In the future, the plan is for gptzfsboot to support loading your key file from a new dedicated partition type, freebsd-gelikey > Thanks > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org" > -- Allan Jude
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:04 UTC