Alaksiej,
You are correct.
I originally tried to configure this on an installation of pfSense (using
UEFI+GPT). The default AutoZFS installer with encryption for this does appear
to create an unencrypted /boot/ with an encryption.key keyfile used along with
passphrase. I tried to set the userkey using just the keyfile to remove the
use of passphrase. I can reset a userkey using both passphrase and keyfile
(located in /boot) and the system will boot successfully. I think this proves
/boot is accessible unencrypted for reading the keyfile.
loader.conf is (by default):
geli_ada0p4_keyfile0_load="YES"
geli_ada0p4_keyfile0_type="ada0p4:geli_keyfile0"
geli_ada0p4_keyfile0_name="/boot/encryption.key"
aesni_load="YES"
geom_eli_load="YES"
kern.cam.boot_delay=10000
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"
kern.ipc.nmbjumbo9="524288"
vfs.root.mountfrom="zfs:zroot/ROOT/default"
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
zpool_cache_load="YES"
zpool_cache_type="/boot/zfs/zpool.cache"
zpool_cache_name="/boot/zfs/zpool.cache"
geom_eli_passphrase_prompt="YES"
zfs_load="YES"
autoboot_delay="3"
hw.usb.no_pf="1"
Using geli configure -B /dev/ada0p4 as you suggested results in:
Mounting from zfs:zroot/ROOT/default failed with error 2
Loader variables:
vfs.root.mountfrom=zfs:zroot/ROOT/default
When I couldn't get it working, I switched to a virtual machine running
straight FreeBSD 11.2 (albeit BIOS+GPT). I realised this evening that the
default disk partitioning is not the same - and a keyfile is not used by
default when selecting encryption under AutoZFS installer option - just a
passphrase. I guess the installer is customised for pfsense.
Regards,
Michael.
_______________________________________________
freebsd-geom@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-geom
To unsubscribe, send any mail to "freebsd-geom-unsubscr...@freebsd.org"
