efs, geli, cd boot disk and a usb key.

[Gary Newcombe]

Hello,
 
I have an older toshiba satellite (which doesn't boot from a usb key) on
which I am trying to setup an encrypted filesystem using geli. Following the
the guides by Marc Schiesser and Adam Wood, I can get to a certain point,
but not as far as I'd like. I need to boot from the cdrom, mount a memory
disk partition from which I can mount the usbdrive (and hence get access to
the keyfile), and then mount the encrypted partitions on the hard drive with
that keyfile.
 
In brief, on the harddrive, have set up a geli ad0
 
geli init -b -s 4096 -l 256 -K /keyfile/ad0.key /dev/ad0
 
and created filesystem etc.
 
I know that it was originally not possible to set the -b flag on a partition
and also a keyfile, but I read that this functionality was now available. I
am using a snapshot of 6.1 stable from beginning of aug 2006 to try this
out. Is this the case in stable or just current?
 
The usbdrive contains /boot /etc/fstab and /boot/mfsroot as the memory disk.
the memory disk has /etc/rc and /rescue. I added the directive to rc to
mount the usbdrive on the memory disk so that the key would be available to
mount the encrypted root partition.
 
I know this is vague, but I essentially want to know if I'm barking up the
right tree? Is this possible? is there any documentation for this that I'm
missing? I need to be able to keep the key file on the usbdrive so that the
cd boot disk can be left in the laptop and the usb drive removed after boot.
 
I'm guessing that I won't get far with the -b flag and that I need to mount
root from the memory disk, mount encrypted root from the disk and continue
booting from the encrypted boot partition.
 
Any help would be much appreciated as I already spent way too long on this!
 
Gary