# Incorrect password with GELI & ZFS



## marckaw (Jul 23, 2013)

I am having some trouble setting up a GELI-encrypted ZFS partition. At boot, I am prompted for the password but it is rejected as incorrect. I am able to boot from a Live CD and successfully mount the partitions. I've set kern.geom.eli.visible_passphrase="1" and verified that the password is being entered properly. I'm relatively new to FreeBSD and I can't seem to make further headway on solving this--I've waded through forum posts and checked the code below against several tutorials for setting up similar systems and cannot find any significant differences. Any assistance would be greatly appreciated.

The code in question:


```
dd if=/dev/urandom of=/dev/ada0 bs=1m

gpart destroy -F ada0
gpart create -s gpt ada0

gpart add -s 512k -a 4k -t freebsd-boot -l bootcode ada0
gpart add -s 2G -a 4k -t freebsd-zfs -l bootdir ada0
gpart add -s 4G -a 4k -t freebsd-swap -l swapfs ada0
gpart add -a 4k -t freebsd-zfs -l zroot ada0

glabel label -v bootcode /dev/ada0p1
glabel label -v bootdir /dev/ada0p2
glabel label -v swapfs /dev/ada0p3
glabel label -v zroot /dev/ada0p4

gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0

mdconfig -a -t malloc -s 128m -u 2
newfs -O2 /dev/md2
mount /dev/md2 /boot/zfs

kldload opensolaris zfs geom_eli

zpool create bootdir /dev/ada0p2
zpool set bootfs=bootdir bootdir
mkdir /boot/zfs/bootdir
zfs set mountpoint=/boot/zfs/bootdir bootdir
zfs mount bootdir

dd if=/dev/random of=/boot/zfs/bootdir/encryption.key bs=4096 count=1
geli init -b -B /boot/zfs/bootdir/ada0p4.eli -e AES-XTS -K /boot/zfs/bootdir/encryption.key -l 256 -s 4096 /dev/ada0p4
geli attach -k /boot/zfs/bootdir/encryption.key /dev/ada0p4
chmod 600 /boot/zfs/bootdir/encryption.key

zpool create zroot /dev/ada0p4.eli
zfs set mountpoint=/boot/zfs/zroot zroot
zfs mount zroot
zfs unmount bootdir
mkdir /boot/zfs/zroot/bootdir
zfs set mountpoint=/boot/zfs/zroot/bootdir bootdir
zfs mount bootdir

zfs set checksum=fletcher4 zroot
zfs create -o compression=on -o exec=on -o setuid=off zroot/tmp
chmod 1777 /boot/zfs/zroot/tmp
zfs create zroot/usr
zfs create zroot/usr/local
zfs create zroot/usr/jails
zfs create zroot/usr/home
cd /boot/zfs/zroot
ln -s /usr/home home
zfs create -o compression=lzjb -o setuid=off zroot/usr/ports
zfs create -o compression=off -o exec=off -o setuid=off zroot/usr/ports/distfiles
zfs create -o compression=off -o exec=off -o setuid=off zroot/usr/ports/packages
zfs create -o compression=lzjb -o exec=off -o setuid=off zroot/usr/src
zfs create zroot/usr/obj
zfs create zroot/var
zfs create -o compression=lzjb -o exec=off -o setuid=off zroot/var/crash
zfs create -o exec=off -o setuid=off zroot/var/db
zfs create -o compression=lzjb -o exec=on -o setuid=off zroot/var/db/pkg
zfs create -o exec=off -o setuid=off zroot/var/empty
zfs create -o compression=lzjb -o exec=off -o setuid=off zroot/var/log
zfs create -o compression=gzip -o exec=off -o setuid=off zroot/var/mail
zfs create -o exec=off -o setuid=off zroot/var/run
zfs create -o compression=lzjb -o exec=on -o setuid=off zroot/var/tmp
chmod 1777 /boot/zfs/zroot/var/tmp

ifconfig em0 inet my.ip
route add default my.router.ip

ftp -a 204.152.184.73
cd /pub/FreeBSD/releases/amd64/amd64/9.1-RELEASE
get base.txz
get doc.txz
get kernel.txz
get ports.txz
get src.txz
exit

unxz -c base.txz | tar xvpf -
unxz -c doc.txz | tar xvpf -
unxz -c kernel.txz | tar xvpf -
unxz -c ports.txz | tar xvpf -
unxz -c src.txz | tar xvpf -

zfs set readonly=on zroot/var/empty

chroot /boot/zfs/zroot

cd /
mv boot bootdir/
ln -fs bootdir/boot
mv bootdir/encryption.key bootdir/boot/
mv bootdir/*.eli bootdir/boot/
```
/etc/rc.conf:

```
zfs_enable=â€YESâ€
geli_swap_flags=â€-e AES-XTS -l 256 -s 4096 -dâ€
```
/boot/loader.conf:

```
zfs_load="YES"
aesni_load=â€YESâ€
geom_eli_load=â€YESâ€
geom_label_load="YES"
vm.kmem_size="1G"
vfs.root.mountfrom=â€zfs:zrootâ€
kern.geom.eli.visible_passphrase="1"
kern.geom.eli.debug="3"
geli_ada0p4_keyfile0_load=â€YESâ€
geli_ada0p4_keyfile0_type=â€ada0p4:geli_keyfile0"
geli_ada0p4_keyfile0_name=â€/boot/encryption.keyâ€
```
I have also tried:

```
geli_label_zroot_keyfile0_load=â€YESâ€
geli_label_zroot_keyfile0_type=â€label/zroot:geli_keyfile0"
geli_label_zroot_keyfile0_name=â€/boot/encryption.keyâ€
```

With the preceding configuration set in loader.conf, I am still prompted for the password to ada0p4 at boot, so it seems this is working correctly. I suspect encryption.key is not being properly loaded, but cannot seem to discover why this might be. Hopefully, I've made a typo or failed to understand a step.

The remaining code follows:

```
touch /etc/fstab

passwd root
tzsetup
cd /etc/mail
make aliases

exit

cd /boot/zfs
zfs unmount bootdir
zpool export zroot && zpool import zroot
zfs mount bootdir
cp /boot/zfs/zpool.cache /boot/zfs/zroot/boot/zfs/zpool.cache

zfs unmount -a
zfs set mountpoint=legacy zroot
zfs set mountpoint=/tmp zroot/tmp
zfs set mountpoint=/usr zroot/usr
zfs set mountpoint=/var zroot/var
zfs set mountpoint=/bootdir bootdir
```

Thanks again for any assistance you may be able to provide.


----------



## wblock@ (Jul 23, 2013)

The use of glabel(8) is pointless, it sets labels on partitions but then never uses those label devices.  And later steps use the raw devices, which potentially overwrite the labels anyway.  GPT labels are already being set.


----------



## marckaw (Jul 23, 2013)

I set the labels at a point when I was troubleshooting by using the alternate loader.conf configuration with geli_label_zroot_keyfile0_load rather than geli_ada0p4_keyfile0_load. Needless to say, this didn't work and I will certainly remove those commands if they are useless.


----------

