GELI passphrase and/or key via command line or environment

grarpamp grarpamp at gmail.com
Fri Sep 9 22:24:33 UTC 2011 

>> For both init and attach (and even elsewhere where
>> applicable), I'd like to be able to specify the passphrase
>> and key material via the command line and/or the environment.
>> Yes, we have -J/j and -K/k, but they only permit the use of files
>> or standard in. And of course standard in is not an arbitrary
>> file descriptor and as such is only usable once. So it cannot
>> be used with both jay and kay. I use both jay and kay, and want
>> to do so programmatically without blocking on keyboard input.
>> In the current implementation, I cannot achieve this.


> I think since the -j/-J flags to geli(8) have been introduced, you may play
> some tricks with the shell to redirect input (on stable/8 and later systems).

If you're referring to Joseph's suggestion (or expect, etc), they
would not apply because they are shell hacks, specific to, and only
present in, certain shells (or external apps). The solution needs
to be in geli, not the shell.

> For stable/7 systems the attached patch should do what you're looking for.

-J/j are not present in RELENG_7. -K/k are present in RELENG_7.
I track RELENG_8 and HEAD (trunk), which have both.

> patch... the ability to read the passphrase from stdin (new -t cli flag)

In RELENG_8, this is already the case. I can't do this because stdin
here would be overloaded:
geli init -J - -K -

(Also, the patch says 'password' in places, shouldn't that be
replaced with 'passphrase' to be consistent?)


The two factors, know and have, as they exist today:

           prompt stdin file cli env
know,pph,j    x     +    x    o   o
have,key,k    o     +    x    o   o

Where x and + are available, o is not.
And where + is one or the other, not both.

I'd like this to become:

           prompt stdin file cli env
know,pph,j    x     +    x    x   x
have,key,k    x     +    x    x   x

The cli '-', shell '< or |', and a program prompt could all be
considered stdin. Though I've seen program prompts that only accept
keyboard input.
'cli' means you enter it as/on one big command line.
'file' and 'env' should be self explanatory.

In the absense of the program rewriting its 'ps' output, using the
environment would be the more 'secure' option to start with.

I'm not sure if a program can rewrite everything, or just its own
name.

More information about the freebsd-geom mailing list