root mount failure in freebsd 9.2 encrypted disk!

Sat Nov 23 08:12:25 UTC 2013

h bagade wrote this message on Sat, Nov 23, 2013 at 09:14 +0330:
> On Thu, Nov 21, 2013 at 11:36 PM, John-Mark Gurney <jmg at funkthat.com> wrote:
> 
> > h bagade wrote this message on Thu, Nov 21, 2013 at 12:24 +0330:
> > > On Thu, Nov 21, 2013 at 11:37 AM, John-Mark Gurney <jmg at funkthat.com>
> > wrote:
> > >
> > > > h bagade wrote this message on Thu, Nov 21, 2013 at 11:16 +0330:
> > > > > I've tried to encrypt my disk in freebsd 9.2 based on the following
> > > > guide:
> > > > > http://cgarcia.org/posts/FreeBSD-FDE-Install.html
> > > > >
> > > > > but it failed to mount root and encountered the following error:
> > > > > mounting from ufs /dev/ada0p3.eli failed with error 19
> > > > >
> > > > > I have tried so many ways but all ends in above error. I have done
> > the
> > > > same
> > > > > process in freebsd 8.2 without any problem and I don't know why the
> > error
> > > > > occurs in freebsd 9.2?!
> > > > >
> > > > > Does anyone have any idea about this or how I can fix it?
> > > >
> > > > Did you see the ask for the passphrase on boot option for the
> > > > partition?  It's the -b option, and you can fix that w/:
> > > > geli configure -b /dev/ada0p3.eli
> > > >
> > >
> > > Thank you so much, my problem is solved by this command.
> > >
> > > >
> > > > The guide you referenced does use the -b in the geli init command...
> > > >
> > >
> > > So -b option on init command doesn't work?!! it was fine with freebsd
> > 8.2!
> >
> > I'd be surprised if it doesn't.  Are you sure you didn't acidentally
> > not include the -b on init?  I'm pretty sure it worked when I setup my
> > 9.1-PR box, and not much has changed w/ geli...  I'm pretty sure I
> > didn't know about configure till I looked it up for you...
> >
> > Glad it's working though!
> 
> May be problem is somewhere else! The configure command works for the
> mentioned guide; but I still have problems with my own way and it doesn't
> ask for passphrase when it boots! :( I have checked flags and BOOT flag is
> set. Differences between working encrypted disk and non-working based on
> "geli list" are:
> 1- RW-DETACH flag is set for the working one which is not in non-working
> 2- Mode option in providers part is r1w1e1 for working one and r0w0e0 for
> non-working

I don't see how they would effect it...  Also, the last one just means
that you have the working one mounted (probably as your root) and the
non-working one not mounted...

So is the non-working disk not mounting? or is it not even asking for
a passphrase to unlock the disk?  If you could get a log, or even a
photo of the failed boot, that would be helpful...

> Also, you mentioned the poor performance of geli in freebsd 9.2. I want to
> know if it affects only on boot or entire accesses to disk is influenced?!
> In other words, is disk decryption is done on start-up one and disk will
> remain unencrypted till the end or encryption/decryption is done on each
> disk access?

The poor performance is if you are using AES-NI w/ 9.2.

The decryption at start up only decrypts the master key, and data on the
disk remains encrypted, and all reads/writes are decrypted/encrypted as
the operation is performed...

To use the AES-NI instructions you must have the aesni modules loaded...
If your cpu supports it, the AES flag will show up in Features2 of the
cpu information line in dmesg...  To use the aesni module for the
root file system, it must be either compiled into your kernel, or loaded
by the boot loader...  There is no support for switching encryption
providers once a geli provider has been attached...

> And the last question, is performance decrease in compare with older
> freebsd versions or there is a serious issue?

No, the performance is the same for all versions including and prior to
9.2-R...  The changes I made to improve the performance when using
AES-NI were made after 9.2-R was released...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."