# GELI and ZFS, how to unlock multiple harddrives with only one password?



## olav (Nov 18, 2010)

I have a ZFS pool with 9 harddrives that is encrypted with GELI.
When I reboot I have to type in a password for each disk to unlock it. Typing in only one password for all harddrives is secure enough for me. But how can I do this?

I read it's possible to create a small file with keys to all the harddrives. So I tried that solution.

First I created a file with dd:
[CMD=""]dd if=/dev/zero of=/root/geli.vol bs=64k count=16[/CMD]

Then I created a memorydisk with the command:
[CMD=""]mdconfig -a -t vnode -f /root/geli.vol -u 100
[/CMD]
A new device got created as /dev/md100.

Then I encrypted and attached it with GELI
[CMD=""]geli init -s 4096 /dev/md100[/CMD]
[CMD=""]geli attach /dev/md100[/CMD]

I file system was needed so I created a filesystem
[CMD=""]newfs /dev/md100.eli[/CMD]

After that, I mounted it and copied over all the GELI keys for the harddrives.
The harddrives has been created as this(no password, only keys)
[CMD=""]geli init -P -s 4096 -K /root/geli.keys/ada0.key /dev/ada0[/CMD]

The problem now is how do I get this to work in a boot process?
In /etc/rc.conf there is this:

```
geli_devices=""
geli_ada0_flags=""
```
There is no md100 device when I boot, how can I create the md100 device from the /root/geli.vol file when the system boots?

Another question I have is if this is a good solution? Are there better alternatives?


----------



## graudeejs (Nov 18, 2010)

You need to edit /boot/loader.conf
Check geli(8) examples section.


----------



## olav (Nov 18, 2010)

I'm getting a bit closer.

According to this site http://sleepyhead.de/howto/?href=filesystem (found it after 4 hours with googling )
I can use this property in /etc/rc.conf
[CMD=""]mdconfig_md0="-t vnode -f /usr/vdisk.img[/CMD]

And that will create the md0 device. However now I can't get geli to unlock it. I get the following error message:

```
Creating md0 device (vnode)
fsck: Could not determine filesystem type.
Fsck failed on /dev/md0 not mounting the filesystem.
```

What is causing this? What could I have done wrong?
If I manually do:
[cmd=""]geli attach -k /path/to/key md0[/cmd]
it works just fine.


----------



## graudeejs (Nov 18, 2010)

Geli is looking for keys (after loader.conf is loaded), and asking for passwords, before rc.conf is loaded (*I think*)
md discs are created when rc.conf is loaded


----------



## graudeejs (Nov 18, 2010)

Perhaps you can create some kind of raid, and encrypt entire raid with single password/key?
However if single disk fails, depending on raid, you may loose all you have (Unless you have backups somewhere else)


----------



## olav (Nov 18, 2010)

In that case I think it's maybe better to export a ZFS volume and then use GELI on that volume.


----------



## graudeejs (Nov 18, 2010)

What do you actually want to encrypt?


----------



## olav (Nov 18, 2010)

Confidential data. If someone steal our file server we don't want them to be able to read our data.


----------



## graudeejs (Nov 18, 2010)

Then you should have backup data anyway.


----------



## graudeejs (Nov 18, 2010)

You could use flash to store keys to geli.
Boot from flash...
Once server is booted you could remove flash.... and carry it on your neck 

This way, You can avoid entering password, and still have secure setup...
Just don't lose flash


----------



## olav (Nov 18, 2010)

Until someone kills me and take my device. 
If used together with a password it could work. But I really want to use an encrypted file.
Perhaps I should just create a startup script instead.


----------



## graudeejs (Nov 18, 2010)

olav said:
			
		

> Until someone kills me and take my device.
> If used together with a password it could work. But I really want to use an encrypted file.



How would that help?
About password... If you think someone would kill you to get key, don't you think they would kidnap and torture you until you tell them password and then kill you? (think about it)



			
				olav said:
			
		

> Perhaps I should just create a startup script instead.


How would that help?


----------



## olav (Dec 21, 2010)

I spent some time yesterday learning how to create a startup script. Today I finished it and it works perfectly.

I created a file named /etc/rc.d/olav with following content

```
#!/bin/sh

# PROVIDE: olav
# BEFORE: LOGIN
. /etc/rc.subr

name="olav"
rcvar=${name}_enable
start_cmd="${name}_start"
stop_cmd=":"

olav_start()
{
        echo "Unlocking encrypted drives."
        mdconfig -a -t vnode -f /root/keys.geli -u 100
        geli attach /dev/md100
        mount /dev/md100.eli /root/keys
        geli attach -p -k /root/keys/disk.key /dev/label/93472
        geli attach -p -k /root/keys/disk.key /dev/label/18885
        geli attach -p -k /root/keys/disk.key /dev/label/8ABYQ
        geli attach -p -k /root/keys/disk.key /dev/label/58198
        geli attach -p -k /root/keys/disk.key /dev/label/63313
        geli attach -p -k /root/keys/disk.key /dev/label/27794
        geli attach -p -k /root/keys/disk.key /dev/label/85583
        geli attach -p -k /root/keys/disk.key /dev/label/54776
        geli attach -p -k /root/keys/disk.key /dev/label/89S1P
        /etc/rc.d/zfs onestart
}

load_rc_config $name
run_rc_command "$1"
```
Note the BEFORE: LOGIN, this is because I want this script to run after everything else is up and running.

Now my /etc/rc.conf looks like this

```
hostname="zbtank.oberon.no"
ifconfig_alc0="DHCP"
keymap="norwegian.iso"
sshd_enable="YES"
tmpmfs="YES"
tmpsize="512M"
tmpmfs_flags="-m 0 -o async,noatime -S -p 1777"
smartd_enable="YES"
geli_autodetach="NO"

# Here I add my new rc script
olav_enable="YES"

# Commented out because it starts too early, starts in my script instead
#zfs_enable="YES"
```

I'm really not sure if I've done the right thing about starting ZFS in my rc script, but at least it works now.


----------



## zennybsd (Apr 4, 2011)

@Olav: Tack! Thank you so much for your script. Appreciate it!

I was just thinking about this after I read your post. I am just wondering if a server on boot will get the unlock key/your script over a server (say a keyserver with something like RADIUS or LDAP authentication) in the network at boottime, and unlock it.

Maybe that would be more secure if someone unplugs the HDD and try to access it, what do you think? Or any hints?


----------



## olav (Apr 5, 2011)

The key is stored in an encrypted file/volume, that should be safe enough.


----------

