Changing geli-providers from passphrase to keyfile

[Christian Baer]

On Mon, 6 Mar 2006 12:30:00 +0100 Pawel Jakub Dawidek wrote:

> No, this is not possible and AFAIR we discussed it in the last already.

Actually, no we didn't. :-)

> I'm not planning to add gbde(8)'s -p/-P options, because they only
> create confusion - they were designed to be used for testing and now are
> used in eg. /etc/rc.d/encswap.

I didn't want that. :-)

Just to clarify this:

What I asked for in the mail was to let geli accept the passphrase from
the standard input, just as it accepts the keyfile. I know I messed up
completely while expressing this, sorry about that. What I was trying to
get was to make this:

echo "password" | geli -k - /dev/ad0

work with passphrases too, so I could pipe a passphrase to geli as I can
a keyfile (like above). geli ignores anything piped to it in this way
when it only expects a passphrase.

You told me in that Email you are refering to, that you didn't want to
implement that - and I am not complaining, please don't get me wrong
here.

I didn't know that geli would take passphrases piped to it when I
initialized the providers (I wrote the script when they were all
finished). I grabbed up your idea with the script:

  pass_da0=`echo "0${passphrase}0" | sha256`
  pass_da1=`echo "1${passphrase}1" | sha256`
  pass_da2=`echo "2${passphrase}2" | sha256`

  echo "${pass_da0}" | geli attach -k - da0
  echo "${pass_da1}" | geli attach -k - da1
  echo "${pass_da2}" | geli attach -k - da2

and found that it didn't work without the -k option. My mistake, I know.

What I am basicly asking now, is if there is some way for me to use
the -k option (like in your script about) while attaching the providers
without having to copy all the data off the drives and initilising the
providers from scratch.  Since were are taking about quite a lot of
drive space here, this could take pretty long.

Sorry for being unclear the first time around. I hope I did a better job
this time!

Regards
Christian