# Encrypted ufs root partition, passphrase entered during installation will not be accepted at boot



## Derk356 (May 16, 2017)

Hello, I have some trouble getting an encrypted root ufs to work properly.
I install the (efi) boot partition on a usb-stick (/dev/da5), with both a keyfile, and a passphrase. The (root) partition is /dev/ad0p1, the swap /dev/ad0p2.
After that, because I use the vSphere hypervisor with FreeBSD 11.0/x64 as a guest, I have to convert the usb-stick into a bootable iso-file, vSphere does not allow me to boot from usb.
I got a lot of information from someone, who posted a howto on a site, which I will not mention, because of the FreeBSD Forum rules.
During installation I enter my passphrase, when I enter exactly the same passphrase when booting from the iso file, FreeBSD tells me it's not correct.

During installation, I start a shell at partitioning time, and enter the following commands:

```
gpart destroy -F da5
gpart destroy -F da0
gpart create -s gpt da5
gpart add -t freebsd-boot -s 512k -a 4k da5
gpart add -t freebsd-ufs -l boot -s 900M -a 1M da5
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da5
gpart create -s gpt da0
gpart add -t freebsd-ufs -l root -b 1M -s 23G da0
gpart show da0
gpart add -t freebsd-swap -l swap -s 8GB da0
dd if=/dev/random of=/tmp/da0.key bs=64 count=1
geli init -b -e AES-XTS -l 256 -K /tmp/da0.key -i 1 -s 4096 da0p1
```
Here I enter the passphrase twice.


```
geli attach -k /tmp/da0.key da0p1
```
Here I enter the passphrase once, and it's accepted.


```
newfs -U /dev/da5p2
newfs -U /dev/da0p1.eli
mount /dev/da0p1.eli /mnt
mkdir /mnt/unenc
mount /dev/da5p2 /mnt/unenc
mkdir /mnt/unenc/metadata_restore_files
cp /var/backups/da0p1.eli /mnt/unenc/metadata_restore_files/
cp /tmp/da0.key /mnt/unenc/
mkdir /mnt/unenc/boot
ln -s unenc/boot /mnt/boot
```
Edit the file: /tmp/bsdinstall_etc/fstab

```
/dev/da0p1.eli    /       ufs     rw    1    1
/dev/da0p2.eli    none    swap    sw    0    0
```
Edit the file: /tmp/bsdinstall_boot/loader.conf

```
geom_eli_load="YES"
vfs.root.mountfrom="ufs:da0p1.eli"
```


```
exit
```
From here I complete the installation, pull out the usb-stick, connect it to another freebsd box, and make a bootable efi iso this way:

```
cd ~
mkdir usbtoiso
```
Mount the usb-stick to /mnt

```
cp -aR /mnt/* usbtoiso
dd if=/dev/zero of=efiboot.img bs=4k count=150
mdconfig -a -t vnode -f efiboot.img
newfs_msdos -F 12 -m 0xf8 /dev/md0
mount -t msdosfs /dev/md0 /mnt
mkdir -p /mnt/efi/boot
cp ~/usbtoiso/boot/loader.efi /mnt/efi/boot/bootx64.efi
umount /mnt
mdconfig -d -u 0
makefs -t cd9660 -o bootimage='i386;efiboot.img' -o no-emul-boot -o rockridge -o label="Cryptoboot" -o publisher="Crypt" crypt-o-boot.iso usbtoiso
```
after booting from this iso, at some time it asks me for my passphrase, I enter
exactly the same passphrase, but it simply does not work.
I hope someone sees the problem, and I don't cause people a headache!


----------



## getopt (May 17, 2017)

Hint to non-US keyboard users : Do not set a passphrase with accents or special characters that the US keyboard cannot address. The keymap is loaded AFTER you have to enter your passphrase at boottime.


----------



## Derk356 (May 17, 2017)

I use a us international keyboard, and already tried leaving out special character, even spaces.


----------



## Derk356 (May 19, 2017)

I found the solution...
First move ~/usbtoiso/da0.key to ~/usbtoiso/boot/
or do this earlier, replace `cp /tmp/da0.key /mnt/unenc/`
with `cp /tmp/da0.key /mnt/unenc/boot/`
(put the line `mkdir /mnt/unenc/boot` above the previous line!  )

The following lines need to be added to loader.conf (at the end of the lines already added in my first post)

```
geli_da0p1_keyfile_load="YES"
geli_da0p1_keyfile_type="da0p1:geli_keyfile"
geli_da0p1_keyfile_name="/boot/da0.key"
```

Thanks for reading my post, hope this one helps others...


----------

