Geli password over network strategies

Karl Denninger karl at
Mon Nov 25 15:15:52 UTC 2019

On 11/25/2019 08:45, Paul Florence via freebsd-questions wrote:
> Hello everyone,
> I am currently running a home-made server with 12.0-RELEASE-p10 using
> full disk geli encryption. When I boot the server, I first have to
> type a password to decrypt the whole system.
> However, my ISP is having some power issues and in the last few weeks
> I had to go there quite a few times to type a passphrase.
> I would like now to be able to enter my passphrase over the network.
> Would the following boot process be possible ?
> 1. First boot from an unencrypted kernel from a USB stick.
> 2. Then start an SSH server.
> 3. Input my passphrase over an ssh terminal.
> 4. Use the provided passphrase as the geli secret to boot the OS from
> the disk
> If no, has anyone had to deal with this kind of problem ? If so, what
> kind of strategy did you decide to use ?
Yep.  My infrastructure is UPS backed but UPS batteries run out and then
things shut down.  When power comes back, well, I'd like to be able to
enter that password with REASONABLE security.

Here's my strategy for dealing with it.

Front-end the server with something that is a dedicated firewall and
WILL reboot on power fail and come back to multi-user, normal mode (I
use a pcEngines box that boots off SD and runs with root mounted
read-only; there is thus essentially zero risk of said box not coming
all the way back up unattended.)  It runs StrongSwan.

Now from "wherever" I can either ssh or VPN into that after a power
failure.  The main box is, at this point, sitting at a console prompt
asking for a GELI password as the loader requires it to unlock the root
ZFS pool.

I now have choices; I could have the big box set up to go to a serial
console and have the serial port plugged in but instead my usual choice
is to instead use the existing "big box's" IPKVM feature which I can
access via two means -- either over the VPN (since my laptop now appears
to be on the local LAN which has the IPKVM port on it) or I can sign
into the gateway and use "ssh" to set up a temporary tunnel to the
https: port on the IPKVM interface thereby allowing me to directly do a
"https://gateway-ip-address:whateverport" and sign into the IPKVM that
way, then use its functionality to get direct console access.  Either
way the session is encrypted so the password cannot be picked off.

Karl Denninger
karl at <mailto:karl at>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the freebsd-questions mailing list