GELI without passphrase on ZFS root
John-Mark Gurney
jmg at funkthat.com
Fri Oct 26 01:06:39 UTC 2018
Michael .. wrote this message on Thu, Oct 25, 2018 at 12:25 +0200:
> Has anyone been able to achieve this?
>
> I installed FreeBSD 11.2 using AutoZFS option with encryption turned on. Passphrase is specified as part of install.
>
> I want to switch to only a keyfile and no passphrase:
>
> geli setkey -K /boot/encryption.key -P /dev/xyz
If this is on your ZFS root that is encrypted w/ the key file, how do
you expect to be able to boot the system when the keyfile you need to
decrypt is encrypted?
> This completes, but I'm still prompted for passphrase on boot. Nothing appears accepted by the prompt (as the userkey is using only keyfile now?)
>
> Setting geom_eli_passphrase_prompt="NO" doesn't help.
Well, the default boot I believe can only handle passphrase.
You can look at this instructions on booting from a USB drive which can
contain the key file:
https://forums.freebsd.org/threads/zfs-boot-from-usb.45880/
I don't think zfsboot (which is needed for ZFS root booting) can handle
key files, because it needs to get the key file from somewhere, and it
is a very small binary, and so does not have the space to load it from
other drives...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-geom
mailing list