Paasword from shsec when booting eli encryptet / ?
Frank J. Beckmann
frank at barda.agala.net
Wed Oct 19 17:32:51 PDT 2005
am Mittwoch, 28. September 2005 10:43 schrieb Pawel Jakub Dawidek:
> On Tue, Sep 27, 2005 at 01:57:30PM +0200, Frank J. Beckmann wrote:
> +> I start to love the new geom classes, they give me many ideas but also
> rise +> many questions. The man page og geli states that you can encrypt /
> when you +> boot from an USB pen-drive. That mast contain /boot. Does it
> find / or do I +> have to set rootdev in loader.conf?
> You need to setup USB boot in BIOS and that's actually all.
None of my computers is able to boot from USB, but thats another problem. I
hope to get some newer hardware sooner or later...
> It will ask you for the passphrase before root file system is mounted and
> will find root partition in /etc/fstab after decryption.
That is how I understood the man page. But that is no great solution for an
> +> And is it possible to get the password (or any other needed secret) from
> a +> gshsec device instead of a console prompt?
I guessed you would say that. Would it be possible to mount a shsec device
readonly like /? The kernel knows how to read an ufs file system else it
could not boot.
> Currently you can use only passphrase strengthened with PKCS#5v2 for the
> root partition.
> There are no file systems mounted yet, so you cannot get the secret from
> a file. In theory it will be possible to get the secret from a raw device
> (storing info about this in /boot/loader.conf).
> BUT this is hackish and evil, so I'll wait for a better solution.
Where do I have to start looking for an better solution. Could the kernel be
able to read from something in /dev/ufs?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 479 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20051020/835ffc63/attachment.bin
More information about the freebsd-geom