# Encrypted root with geli (can't find encrypted slices)



## ioxer (Dec 17, 2009)

I'm having some issues after following the geli tutorial located here:
http://www.wanda25.de/geli.html

When booting, I'm able to enter the passphrase for the ad0s2 partition and geli appears to correctly do its thing and continues -- if I enter an incorrect passphrase, it immediately prompts me to try again. Almost immediately after entering the correct passphrase, the kernel tries to mount the encrypted root slice (ad0s2.elia) but is unable to do so and gives me a ROOT MOUNT ERROR and drops me to the mountroot prompt. Here's what it shows when listing the valid disk boot devices (presssing ?):

```
List of GEOM managed disk devices:
  acd0 ad0.eli ad0
Loader variables:
vfs.root.mountfrom=ufs:/dev/ad0s2.elia
vfs.root.mountfrom.options=rw
...
```

So it appears that something is going wrong and it's missing the encrypted slices from the encrypted partition (ad0s2). Searching around, I found this post from someone with a similar problem:
http://forums.freebsd.org/showthread.php?t=8440&highlight=encrypted+root

I followed jb_fvwm2's advice from that thread and added the geom_{bsd,mbr,label} modules to the loader.conf file, but that has no effect. Is there something else I should be doing to get these encrypted slices to show up?

I'm not sure if it matters, but I am doing this with 8.0-RELEASE in a VirtualBox guest.

Here's the partition scheme:

```
ad0                       HDD
ad0s1                     Partition #1 (unencrypted)
ad0s1a                    Unencrypted root slice
ad0s2                     Partition #2 (encrypted)
ad0s2.elia                Encrypted root slice
ad0s2.elib                Encrypted swap slice
```

Here's the /boot/loader.conf file from the unencrypted root partition (ad0s1a):

```
geom_bsd_load="YES"
geom_mbr_load="YES"
geom_label_load="YES"
geom_eli_load="YES"
```

Here's the /etc/fstab file from the unencrypted root partition (ad0s1a):

```
/dev/ad0s2.elia    /    ufs    rw    1    1
```


----------



## SirDice (Dec 17, 2009)

This:

```
List of GEOM managed disk devices:
  acd0 ad0.eli ad0
Loader variables:
vfs.root.mountfrom=ufs:/dev/ad0s2.elia
vfs.root.mountfrom.options=rw
...
```

Shows that ad0 is encrypted; ad0.eli. Not the second slice on that disk; ad0s2.


----------



## ioxer (Dec 17, 2009)

I did the following to initialize the ad0s2 partition:
[CMD=]geli init -b /dev/ad0s2[/CMD]

Thus, I'm rather confused why it would think the entire ad0 drive is encrypted. Nothing in the geli manpage indicates that doing "geli init..." on a partition would affect the entire disk, though maybe I'm missing something?

I'm able to mount ad0s1a in a FixIt shell without even loading the geom_eli module, so naturally that's proof that the ad0s1a slice isn't encrypted with geli.

If it helps, here's what the mountroot prompt lists when the geom_eli module isn't loaded at boot:

```
List of GEOM managed disk devices:
  ufsid/IDHERE acd0 ufsid/IDHERE ad0s1a ufsid/IDHERE ad0s2 ad0s1 ad0
Loader variables:
vfs.root.mountfrom=ufs:/dev/ad0s2.elia
vfs.root.mountfrom.options=rw
...
```

Am I correct in assuming that it doesn't think the ad0 disk is encrypted then? Where should I look next?


----------



## SirDice (Dec 17, 2009)

Which slice is marked bootable? If I'm not mistaken it should boot from ad0s1a but once the kernel is loaded it'll load the root (/) filesystem from ad0s2.elia.


----------



## ioxer (Dec 17, 2009)

I marked ad0s1 as bootable when I set up the disk with fdisk. Not sure if it matters, but I used fdisk via Cofigure->Fdisk in sysinstall.


----------



## eticaret (Dec 25, 2009)

I think i encountered with similar problem and the fix was to destroy first bytes of ad0s2 with zeroes. Not 100% sure though, it was at least a year ago. If i find my notes, i post a message again.


----------

