potential problem with gpart, glabel and geli when using "ask for a
passphrase on boot" option
leon zadorin
leonleon77 at gmail.com
Sun Aug 21 02:43:13 UTC 2011
Hello everyone,
There appears to be a problem with how geli geom module treats "ask
for a passphrase on boot" option when the system is booting (or I
probably don't know the right way of doing this...) on 8.2-release
branch.
Essentially, I have a disk, for illustration purposes let's call it
"/dev/aaa", which is first labeled permanently (with glabel) as let's
say "/dev/label/ccc" and then setup with gpart to use gpt partition
scheme.
So far so good...
I then initialize one of the gpt partitions (/dev/label/cccp2) to be
used by a geli encryption module with "ask for a passphrase on boot"
option... something like this:
geli init -b -v -a hmac/sha256 -B none /dev/label/cccp2
the problem is that when the system boots, it asks for a passphrase on
*multiple* devices/partitions:
/dev/aaap2
/dev/gpt/bbb (where bbb is guid of the gpt partition in question)
/dev/label/cccp2
Clearly -- since I had applied the 'geli init -b' to /dev/label/cccp2
only, it would be ideal if geli was asking for the passphrase only for
1 device/partition: /dev/label/cccp2
It would appear however that geli might be using some sort of
value/data written to a partition to indicate that it may need to ask
for passphrase on boot (?), and since each of /dev/aaap2,
/dev/gpt/bbb, /dev/label/cccp2 are synonymous w.r.t. such a data -- it
decides to ask for passphrase everytime a given "/dev/...." entry gets
attached?
Any way around this? Am I doing something wrong here? Or is there some
way in 'loader.conf' to tell geli geom provider to ignore certain
"/dev/..." entries?
Best regards
Leon.
More information about the freebsd-geom
mailing list