# Geli memory device at boot



## LuizBiazus (Jan 11, 2010)

hello there!

i do create an crypted device with this commands:


```
dd if=/dev/urandom of=/usr/www.vol bs=1M count=100
mdconfig -a -t vnode -f /usr/www.vol -u 0
dd if=/dev/urandom of=/www.key bs=56 count=1
geli init -s 4096 -e Blowfish -l 448 -K /www.key /dev/md0 
geli attach -d -k /www.key /dev/md0
bsdlabel -w /dev/md0
newfs /dev/md0a
mount /dev/md0a /mnt
df -h

/dev/md0a            97M    4.0K     89M     0%    /mnt
```


how can i mount this memmory device automatic on each boot without password?!

i just want  protect the data to be ripped if this harddisk  is placed on slave mode in other computer!


Thanks

Luiz


----------



## Alt (Jan 11, 2010)

Sorry, you need to encrypt memorydisk ?


----------



## fonz (Jan 11, 2010)

Alt said:
			
		

> Sorry, you need to encrypt memorydisk ?


He still has the image stored on a local hard drive I think...

@OP: There are probably more elegant solutions, but one thing you could do is add something like the following to your /etc/rc.local:

```
mdconfig -a -t vnode -f /usr/www.vol -u 0
geli attach -d -k /www.key /dev/md0
mount /dev/md0a /mnt
```

Alphons


----------



## LuizBiazus (Jan 12, 2010)

fonz said:
			
		

> He still has the image stored on a local hard drive I think...


yep...



> @OP: There are probably more elegant solutions, but one thing you could do is add something like the following to your /etc/rc.local:
> 
> ```
> mdconfig -a -t vnode -f /usr/www.vol -u 0
> ...



it will ask about the passphrase right?


----------



## Alt (Jan 12, 2010)

Its not possible to attach geli from rc.conf ?


----------



## fonz (Jan 12, 2010)

LuizBiazus said:
			
		

> it will ask about the passphrase right?


Depends on how you set things up. According to the man page (see geli(8)), the options *-P* and *-p* to `# geli init` and `# geli attach` respectively can be used to "disable" the passphrase.

_[Edit:]_ I tried something like `# echo "passphrase" | geli attach /dev/foo` but that didn't work, geli(8) still asked me for a passphrase. So, I hope the options I mentioned above work for you.

Hope this helps,

Alphons


----------



## fonz (Jan 12, 2010)

Alt said:
			
		

> Its not possible to attach geli from rc.conf ?


As I said in my initial reply, there are probably more elegant solutions than the one I proposed. But at least it should get the OP going until he works out a better method.

Using /etc/rc.local is pretty much considered obsolete nowadays. I still use it occasionally for quick fixes, which is why I suggested it in the first place, but once the OP gets things working he should probably consider switching to a /etc/rc.d/ script if he can be bothered to do so.

I'm not sure whether what the OP wants can be done with /etc/rc.conf because he needs to do an `# mdconfig` first, then a `# geli attach` and finally a `# mount`. If you (or anyone else) knows how to do all that - and in the right order, too - from /etc/rc.conf, then by all means let us know how.

Alphons


----------



## Alt (Jan 12, 2010)

I know good russian proverb:
There is nothing more permanent than temporary one


----------



## LuizBiazus (Jan 13, 2010)

fonz said:
			
		

> As I said in my initial reply, there are probably more elegant solutions than the one I proposed. But at least it should get the OP going until he works out a better method.
> 
> Using /etc/rc.local is pretty much considered obsolete nowadays. I still use it occasionally for quick fixes, which is why I suggested it in the first place, but once the OP gets things working he should probably consider switching to a /etc/rc.d/ script if he can be bothered to do so.
> 
> ...




key without passphrase works... but the key will be on hardisk right? so even if someone cant see my memory device 
it can be copied(http://www.vol) toghether of his key once this key will be in one normal directory right!? 

so there is none a secure way to use geli automatic right?


----------



## fonz (Jan 13, 2010)

*You can't have your cake and eat it too.*



			
				LuizBiazus said:
			
		

> key without passphrase works... but the key will be on hardisk right?



Or you could put the key on a USB stick, floppy, CD or some other medium that can be ejected once the encrypted volume has been attached.



			
				LuizBiazus said:
			
		

> so even if someone cant see my memory device it can be copied(www.vol) toghether of his key once this key will be in one normal directory right!?



If the attacker knows where the keyfile is, yes. 



			
				LuizBiazus said:
			
		

> so there is none a secure way to use geli automatic right?



To have any sort of encryption, you need some kind of variable (or challenge, if you like). Unless you have some of that nifty biometric scanning equipment this usually means a passphrase or a keyfile. Or both, but you need at least one.

Passphrases need to be typed in (or stored on disk, but that would essentially make them keyfiles), keyfiles need to be stored on an accessible medium (which could be removable though). You can prevent having to type a passphrase and you can prevent having a keyfile on disk, but you cannot prevent both. 

It's not really a limitation in geli(8), it's the same with e.g. LUKS or TrueCrypt. It's just how (this kind of) encryption works. You need _some_ way to specify _some_ key _some_how.

Alphons


----------

