# Key file based geli encryption for root on zfs



## trumee (May 11, 2016)

Hello,

The FreeBSD 10.3 installer allows encryption for Root on ZFS using a password. I would like to use keyfile instead of a password. Is it possible to do it with the installer?

I can create an encypted zfs pool manually using a shell. But I was unable to use this in the installer to do its business.

Thanks


----------



## trumee (May 12, 2016)

Unfortunately, I couldn't get key based encryption with custom partitioning to work.  Instead, i used the 'Guided ZFS' menu in the installer without encryption. Is it possible now to backup the zroot pool, create a new encrypted pool and restore the previous pool?


----------



## trumee (May 12, 2016)

I gave this another go. The plan was to use 'Guided ZFS' With encryption, and change the key after the install (to get rid of the passphrase).  After the installation was complete, changed the key using
`#dd if=/dev/random of=/boot/keyfile bs=256 count=1
1+0 records in
1+0 recordes out
#geli setkey -v -k /boot/encryption.key -P -K /boot/keyfile /dev/da0p4
Note, that the master key encrypted with old key and/or passphrase may still exists ina metadata backup file
Done.
#geli setkey -v -k /boot/encryption.key -P -K /boot/keyfile /dev/da1p4
Note, that the master key encrypted with old key and/or passphrase may still exists ina metadata backup file
Done.`

and then modified the loader.conf to reflect the new key and disabled the passphrase prompt


```
#cat /boot/loader.conf
geli_da0p4_keyfile0_name="/boot/keyfile"
geli_da1p4_keyfile0_name="/boot/keyfile"
geom_eli_passphrase_prompt="NO"
```

Unfortunately i still get a password prompt and the original password doesnt even work







What am i doing wrong?


----------



## tobik@ (May 12, 2016)

You need to remove the boot flag from da0p4 and da1p4: `geli configure -B /dev/da0p4`


----------



## trumee (May 12, 2016)

tobik said:


> You need to remove the boot flag from da0p4 and da1p4: `geli configure -B /dev/da0p4`



Did that and ended up with


----------



## tobik@ (May 16, 2016)

trumee said:


> Did that and ended up with


The boot flag needs to be set. Otherwise the code path to decrypt the root partition is never taken. Sorry about that misleading idea...


----------

