vfs.root.mountfrom with geli

Fabian Keil freebsd-listen at fabiankeil.de
Tue Feb 5 10:59:15 UTC 2013 

mhca12 <mhca12 at gmail.com> wrote:

> On Mon, Feb 4, 2013 at 6:23 PM, Fabian Keil wrote:
> > mhca12 <mhca12 at gmail.com> wrote:
> >
> >> On Mon, Feb 4, 2013 at 1:06 PM, Fabian Keil wrote:
> >> > mhca12 <mhca12 at gmail.com> wrote:
> >> >
> >> >> I followed the guide on dan.me.uk to install FreeBSD 9.1 amd64
> >> >> but I get always stuck because the kernel doesn't ask me for the
> >> >> passphrase and doesn't find the /dev/gpt/enc.eli where enc is the
> >> >> label I gave to the root partition. I also tried with /dev/ada0p3.eli
> >> >> without success.
> >> >>
> >> >> Tried the following two /boot/loader.config variations:
> >> >> 1:
> >> >> geom_eli_load="YES"
> >> >> vfs.root.mountfrom=”ufs:/dev/gpt/enc.eli”
> >> >> 2:
> >> >> geom_eli_load="YES"
> >> >> vfs.root.mountfrom=”ufs:/dev/ada0p3.eli”
> >> >>
> >> >> I can geli attach /dev/gpt/enc or /dev/ada0p3 successfully from
> >> >> the livecd.
> >> >>
> >> >> Can you advise me what I might have done wrong or what I
> >> >> should try?
> >> >>
> >> >> https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/
> >> >
> >> > This guide doesn't seem to match your configuration.
> >> > It uses ada0p3.eli for swapping and additionally uses keyfiles.
> >> >
> >> > Without knowing your actual configuration it's impossible to
> >> > give proper advice. You could check with "geli list ada0p3" if
> >> > the boot flag is set, but that's obviously just a wild guess ...
> >>
> >> Forgot to list my simpler setup:
> >> ada0p1 freebsd-boot
> >> ada0p2 freebsd-ufs label boot /boot
> >> ada0p3 geli freebsd-ufs label enc /
> >>
> >> Do I have to set the boot flag for any of them?
> >
> > The geli passphrase is only requested at boot time for providers that
> > have the geli boot flag set (for details see geli(8)). If it isn't set
> > on ada0p3 it would explain the described behaviour.
> 
> Fabian thanks a lot. Maybe I forgot -b during geli init but a
> geli configure -b /dev/ada0p3.eli fixed it. FreeBSD is so
> well structured and logical in this regard and hopefully
> in many others as I heard.
> 
> In vfs.root.mountfrom only ”ufs:/dev/ada0p3.eli” works and
> the /dev/gpt/enc.eli doesn't. Is it supposed to?

"doesn't" isn't a particular helpful problem description.

Probably geli tastes ada0p3 before gpt/enc and once ada0p3
has been attached gpt/enc is hidden and thus can't be attached
anymore.

gpt labels aren't intentionally designed not to work with
geli, but tasting races at boot time are a known limitation
and also affect other geom classes.

As a workaround you could use glabel labels instead.

I use them for external disks to be able to geli attach them
automatically using a known name, but for internal disks whose
names don't frequently change I usually don't bother.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20130205/1fe8ce11/attachment.sig>

More information about the freebsd-questions mailing list