geli setkey n 1 anomaly :: or am I missing something
Fabian Keil
freebsd-listen at fabiankeil.de
Tue Sep 27 14:28:27 UTC 2016
Shamim Shahriar <shamim.shahriar at gmail.com> wrote:
> Good afternoon all, I am having some difficulty with geli. I am trying to
> set up an encrypted provider for my users, using the setkey feature, but it
> is not working.
>
> system: FreeBSD 11-RC3
>
> from the man page
> Create an encrypted provider, but use two User Keys: one for your
> employee and one for you as the company's security officer (so it is
> not
> a tragedy if the employee "accidentally" forgets his passphrase):
>
> # geli init /dev/da2
> Enter new passphrase: (enter security officer's passphrase)
> Reenter new passphrase:
> # geli setkey -n 1 /dev/da2
> Enter passphrase: (enter security officer's passphrase)
> Enter new passphrase: (let your employee enter his passphrase
> ...)
> Reenter new passphrase: (... twice)
>
> Following this path, I have encrypted a provider, ada0p4
>
> # geli init -e aes-xts -l 256 -K geli.key /dev/ada0p4
>
> Enter new passphrase: # I enter my passphrase
> Reenter new passphrase: # I re-enter my passphrase
>
> all is good.
>
> Now, I am trying to set up the passphrase for the colleague
> # geli setkey n 1 -k geli.key /dev/ada0p4
> Enter passphrase: # entered my passphrase
> Enter new passphrase: # entered colleague's passphrase
> Reenter new passphrase: # re-entered colleague's passphrase
You probably meant to add "-K geli.key" to also
use a keyfile for the second slot.
> As I try to attach using colleague's passphrase, I get a Wrong key error.
> My key works fine.
>
> # geli attach -k geli.key /dev/ada0p4
> Enter passphrase: # I put colleague's passphrase
> Wrong key
This is expected as no keyfile has been configured
for the second slot.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160927/e74f9cb7/attachment.sig>
More information about the freebsd-questions
mailing list