Solved GELI - wrong key for disk

[Deleted member 70846]

Hello,

I've set up a ZFS pool, with each partition in it (da0p1 through da3p1) being encrypted with GELI.
(I know ZFS has it's own thing for encryption, but for an unrelated reason I won't use that for this pool.)
When I try to attach the disks at startup by including the following in rc.conf()...

zfs_enable="YES"

geli_devices="da0p1 da1p1 da2p1 da3p1"

geli_da0p1_keyfile_load="YES"
geli_da0p1_keyfile_type="da0p1:geli_keyfile"
geli_da0p1_keyfile_name="/root/geli/da0p1.key"

geli_da1p1_keyfile_load="YES"
geli_da1p1_keyfile_type="da1p1:geli_keyfile"
geli_da1p1_keyfile_name="/root/geli/da1p1.key"

geli_da2p1_keyfile_load="YES"
geli_da2p1_keyfile_type="da2p1:geli_keyfile"
geli_da2p1_keyfile_name="/root/geli/da2p1.key"

geli_da3p1_keyfile_load="YES"
geli_da3p1_keyfile_type="da3p1:geli_keyfile"
geli_da3p1_keyfile_name="/root/geli/da3p1.key"

... It prompts me with the following at startup:

Configuring Disk Encryption for da0p1.
Enter passphrase:
geli: Wrong key for da0p1.

Despite entering the correct passphrase. Note that I'm able to run something like geli attach -k /root/geli/da0p1.key /dev/da0p1 just fine, and it's instantly added to the pool. It's only when I try and attach it at startup that it's using the "wrong" key, so it must be something wrong with what I've put in rc.conf .

I've also seen some solutions on this forum using a numbered keyfile (e.g. geli_da0p1_keyfile0_type="da0p1:geli_keyfile0"), but no matter what number I'd use for that, it throws the same error.

here's the output of uname -a :

FreeBSD $HOST 12.3-RELEASE FreeBSD 12.3-RELEASE r371126 GENERIC  amd64

 

[Crivens]

Could that be a keymap issue? What keymap do you use?

 

[richardtoohey2]

The examples in the man page don't reuse the same keyfile type name, so I think you are thinking in the right direction:

geli_da0_keyfile0_load="YES"
geli_da0_keyfile0_type="da0:geli_keyfile0"
geli_da0_keyfile0_name="/boot/keys/da0.key0"
geli_da0_keyfile1_load="YES"
geli_da0_keyfile1_type="da0:geli_keyfile1"
geli_da0_keyfile1_name="/boot/keys/da0.key1"
geli_da0_keyfile2_load="YES"
geli_da0_keyfile2_type="da0:geli_keyfile2"
geli_da0_keyfile2_name="/boot/keys/da0.key2"

i.e. maybe because you've got geli_keyfile used 3 times it won't work?

 

[covacat]

docs says to put the geli lines in /boot/loader.conf (may the module reads them via kenv)

 

[Crivens]

My point is that you need the same keymap loaded when you deal with the passwords. Setting these words with a greek keyboard layout and then typing them with a gaelic one, to be extreme here, will almost cwrtainly end up with wrong passphrases.

 

[T-Daemon]

There are two ways to attach the geli(8) providers containing the ZFS pool during the boot process by keyfile automatically provided by the system:

1. From /boot/loader.conf, as described in the manual, before the root filesystem is mounted:

/boot/loader.conf:

           geli_da0_keyfile0_load="YES"
           geli_da0_keyfile0_type="da0:geli_keyfile0"
           geli_da0_keyfile0_name="/boot/keys/da0.key0"
           geli_da0_keyfile1_load="YES"
           geli_da0_keyfile1_type="da0:geli_keyfile1"
           geli_da0_keyfile1_name="/boot/keys/da0.key1"
           geli_da0_keyfile2_load="YES"
           geli_da0_keyfile2_type="da0:geli_keyfile2"
           geli_da0_keyfile2_name="/boot/keys/da0.key2"

2. After the root file system is mounted, from /etc/rc.conf, as described in /etc/defaults/rc.conf:

# GELI disk encryption configuration.
geli_devices=""         # List of devices to automatically attach in addition to
                        # GELI devices listed in /etc/fstab.
geli_groups=""          # List of groups containing devices to automatically
                        # attach with the same keyfiles and passphrase
geli_tries=""           # Number of times to attempt attaching geli device.
                        # If empty, kern.geom.eli.tries will be used.
geli_default_flags=""   # Default flags for geli(8).
geli_autodetach="YES"   # Automatically detach on last close.
                        # Providers are marked as such when all file systems are
                        # mounted.
# Example use.
#geli_devices="da1 mirror/home"
#geli_da1_flags="-p -k /etc/geli/da1.keys"
#geli_da1_autodetach="NO"
#geli_mirror_home_flags="-k /etc/geli/home.keys"
#geli_groups="storage backup"
#geli_storage_flags="-k /etc/geli/storage.keys"
#geli_storage_devices="ada0 ada1"
#geli_backup_flags="-j /etc/geli/backup.passfile -k /etc/geli/backup.keys"
#geli_backup_devices="ada2 ada3"

... It prompts me with the following at startup:

 Configuring Disk Encryption for da0p1.
Enter passphrase:
geli: Wrong key for da0p1.

Despite entering the correct passphrase. Note that I'm able to run something like geli attach -k /root/geli/da0p1.key /dev/da0p1 just fine, and it's instantly added to the pool. It's only when I try and attach it at startup that it's using the "wrong" key, so it must be something wrong with what I've put in rc.conf .

As covacat already mentioned, the keyfile_{load,type,name} belongs in /boot/loader.conf, it has no effect from /etc/rc.conf.

I would use the /etc/rc.conf configuration. It's easier to configure. I assume the ZFS pools providers are attached by keyfile and passphrase:

geli_devices="da0p1 da1p1 da2p1 da3p1"
geli_da0p1_flags="-k /root/geli/da0p1.key"
geli_da1p1_flags="-k /root/geli/da1p1.key"
etc

Also, backup the keyfiles and metadata of the providers on different external devices (i.e. quality USB sticks).

 

[Deleted member 70846]

My point is that you need the same keymap loaded when you deal with the passwords. Setting these words with a greek keyboard layout and then typing them with a gaelic one, to be extreme here, will almost cwrtainly end up with wrong passphrases.

As far as I can tell, the correct keymap is loaded. I've seen other solutions for this problem involving troubleshooting the keymap, though, so I double-checked to be sure.

 

[Deleted member 70846]

[...]

I would use the /etc/rc.conf configuration. It's easier to configure. I assume the ZFS pools providers are attached by keyfile and passphrase:

geli_devices="da0p1 da1p1 da2p1 da3p1"
geli_da0p1_flags="-k /root/geli/da0p1.key"
geli_da1p1_flags="-k /root/geli/da1p1.key"
etc

Also, backup the keyfiles and metadata of the providers on different external devices (i.e. quality USB sticks).

Using geli_<disk>_flags in my rc.conf fixed it! Here's the current arrangement:

geli_devices="da0p1 da1p1 da2p1 da3p1"
geli_da0p1_flags="-k /etc/geli/da0p1.key"
geli_da1p1_flags="-k /etc/geli/da1p1.key"
geli_da2p1_flags="-k /etc/geli/da2p1.key"
geli_da3p1_flags="-k /etc/geli/da3p1.key"

Problem solved! I am now able to attach the disks at startup. Thanks, everyone!