Using GELI on boot disk with GPT labels?

Karl Denninger karl at denninger.net
Sun Jan 12 17:18:35 UTC 2020 

On 1/12/2020 10:30, Ben Lavery wrote:
> Hi all,
>
> I've recently bought my first home server and am planning to run
> FreeBSD 12.1-RELEASE on it.
>
> I would like to GELI encrypt (password based) all of the hard drives I
> put into the server so that if/when they fail I can safely and
> confidently dispose of them.
>
> When setting up the server, I followed a number of recommendations to
> use GPT labels for disks with a naming scheme that would allow me to
> easily identify where failed disks physically are in the server (there
> are 12 bays).
> However, when I booted up the server after installing on an installer
> configured zpool with GELI encryption, I noted that the disk IDs (e.g.
> da0p3) was being used, and this seemed to extend to disks in different
> (non-root) zpools.
>
> I decided to do an experiment in VirtualBox with FreeBSD 12.1-RELEASE:
>
> 1. To install FreeBSD on ZFS with GELI encryption
>    https://gist.github.com/forquare/b4e12938b1240238ef64e3d6ba5d9669
>
> 2. To install FreeBSD on ZFS without GELI
>    https://gist.github.com/forquare/8049282d742c94b67f08a81d828e8d13
>
> (Links above show commands + output/details of installation)
>
> I found that when I didn't use GELI I was able to use GPT labels,
> however when I _did_ use GELI GPT labels were not available to me.
>
> Is there a way to encrypt my boot pool _and_ use GPT labels?
> If not, I would be interested to learn why.
>
> Many thanks,
> Ben
>
The boot pool volumes typically come up as "/dev/da.....eli"; the other
pools, which you name in (for example)

geli_groups="system"
geli_system_devices="gpt/rust1-1 gpt/rust1-2 gpt/rust2-1 gpt/rust2-2
gpt/rust3-1 gpt/rust3-2"
geli_autodetach="YES"

do not, since those are named explicitly and looked for after the kernel
is loaded.

I presume this is a function of how gptzfsboot enumerates the disks and
finds the "boot" flag since that's where that happens and attaches them
under geli.  Not sure if you can get it to "dig inside a GPT disk" and
find the labels or not.

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200112/d72785dd/attachment.bin>

More information about the freebsd-questions mailing list