Failed to authenticate error... during geli attach

freebsd_user

freebsd_user

I have been testing my setup on an Oracle Virtual Box, Virtual Machine Manager, and VMware with EFI turned on. I have continued FreeBSD setup up to the Partitioning step, then selected shell and entered the following,
Code: 
# sysctl kern.disks
# gpart destroy -F ada0

# gpart create -s gpt ada0

# gpart add -t efi -s 512M ada0
# gpart add -t freebsd-swap -s 4G ada0
# gpart add -t freebsd-zfs ada0

# geli init -g -a "HMAC/SHA256" -e "AES-XTS" -l 256 -s 4k ada0p3
# geli attach ada0p3

I am getting following errors,
Screenshot from 2023-10-16 18-16-15.png

Could anyone please tell me what am I doing wrong? As always, any help would be highly appreciated. Thank you.
 
Excuse me for posting to the old thread. I just found this post between hundreds of open tabs in my browser )
Will try to reply just for history.

When you have configured -a "HMAC/SHA256" then geli will check checksums for any block during reading data, but the data and checksums are not consistent because you had no data written to the encrypted partition and geli will try to use 'garbage data' on the disk as a data and checksums for data.
It is a good idea to rewrite whole encrypted partition before creating the filesystem in case of using "-a" option.

See manual:
geli(8)
Code: 
     Not only configure encryption, but also data integrity verification using HMAC/SHA256.
           # geli init -a hmac/sha256 -s 4096 /dev/da0
           Enter new passphrase:
           Reenter new passphrase:
           # geli attach /dev/da0
           Enter passphrase:
           # dd if=/dev/random of=/dev/da0.eli bs=1m
           # newfs /dev/da0.eli
           # mount /dev/da0.eli /mnt/secret
The command " dd if=/dev/random of=/dev/da0.eli bs=1m" will rewrite encrypted partition by random data and create checksums for all blocks of data. It is possible to use if=/dev/zero to speedup the process.

Also, if you like to encrypt the whole partition then it may be a good idea to use other partition type than "freebsd-zfs" and you need to create a filesystem (zfs or ufs) on attached encrypted partition (ada0p3.eli).
 
You must log in or register to reply here.
Back
Top