# GELI: Using one keyfile for serveral partitions in loader.conf



## tty23 (Mar 20, 2011)

Hi,

I use GEOM_ELI for 4 drives on my homeserver. I use the same keyfile for all of the partitions. However, typing in my extraordinary long password 4 times on each startup is cumbersome. Since I did not find any documentation on the geli syntax in loader.conf I could not figure out yet how to tell geli to use the same keyfile for all partitions. 

Any hints on how to do that?

Part of my loader.conf:

```
geom_eli_load="YES"
geli_ada1_keyfile0_load="YES"
geli_ada1_keyfile0_type="ada1:geli_keyfile0"
geli_ada1_keyfile0_name="/boot/keys/daten.key"
geli_ada2_keyfile0_load="YES"
geli_ada2_keyfile0_type="ada2:geli_keyfile0"
geli_ada2_keyfile0_name="/boot/keys/daten.key"
```


----------



## graudeejs (Mar 20, 2011)

See example section of geli(8). Your config looks correct, for each drive you need to tell to use same key (copy-paste job). If you don't want to type password 4x times, either don't use passwords, or, use passwords for HDD's with most important info.


----------



## tty23 (Mar 20, 2011)

Yep the config works, the question was indeed how to make it work without typing the password 4 times.

Isn't there any way to use at least one keyfile for all partitions?


----------



## graudeejs (Mar 20, 2011)

tty23 said:
			
		

> Yep the config works, the question was indeed how to make it work without typing the password 4 times.
> 
> Isn't there any way to use at least one keyfile for all partitions?



Keyfile and passphrase are 2 different things.


----------



## graudeejs (Mar 20, 2011)

AFAIK currently you can't type 1 passphrase so that it would work for all drives.... However It would be nice feature to have.....


----------



## tty23 (Mar 20, 2011)

My hope was, that if I could use the keyfile for all partitions, I would have to type in the password for that keyfile only once.

Anyway, thanks for the clarification!

Indeed the 1 password for a number of keyfiles would be a nice feature


----------



## graudeejs (Mar 20, 2011)

Again keyfiles and passphrases are different things. You can use keyfiles or passphrase or both. Passphrases are not tied to keyfiles (and wise-versa). Both passphrases and keyfiles are tied to HDD.


----------



## olav (Mar 20, 2011)

You can, I've done this 

Basically you create a mini file which acts as a seperate encrypted filesystem. In this file you have the keys for the other devices.

I've created a rc script that looks like this:

```
#!/bin/sh

# PROVIDE: gelikeys
# BEFORE: LOGIN
. /etc/rc.subr

name="gelikeys"
rcvar=${name}_enable
start_cmd="${name}_start"
stop_cmd=":"

gelikeys_start()
{
        echo "Unlocking encrypted drives."
        mdconfig -a -t vnode -f /root/keys.geli -u 100
        geli attach /dev/md100
        mount /dev/md100.eli /root/keys
        geli attach -p -k /root/keys/gelikeys.key /dev/label/93472
        geli attach -p -k /root/keys/gelikeys.key /dev/label/18885
        geli attach -p -k /root/keys/gelikeys.key /dev/label/8ABYQ
        geli attach -p -k /root/keys/gelikeys.key /dev/label/58198
        geli attach -p -k /root/keys/gelikeys.key /dev/label/63313
        geli attach -p -k /root/keys/gelikeys.key /dev/label/27794
        geli attach -p -k /root/keys/gelikeys.key /dev/label/85583
        geli attach -p -k /root/keys/gelikeys.key /dev/label/54776
        geli attach -p -k /root/keys/gelikeys.key /dev/label/89S1P
}

load_rc_config $name
run_rc_command "$1"
```


----------



## Zare (Mar 20, 2011)

If GELI partitions are encrypted with keyfiles, which are encrypted by passpharse, and you use a same keyfile for encrypting four partitions, wouldn't decrypting a keyfile *once* provide a mechanism to decrypt all four partitions instantly? If it can't be specified in GELI commands then GELI doesn't know that four partitions are using same keyfile, and tries to load/decrypt same keyfile 4 times in a row.

Workaround would be to use keyfile/passpharse for root partition, and for all other partitions use non-passpharsed keyfiles contained somewhere on root partition.


----------



## AlexanderB (Aug 6, 2016)

I have the same problem:
da1p4 AES with password
da1p5 Blowfish password + key


olav said:


> Basically you create a mini file which acts as a seperate encrypted filesystem. In this file you have the keys for the other devices.
> 
> I've created a rc script that looks like this:


Where I need to put this script? Can you please write a mini tutorial here?


----------



## olav (Feb 28, 2019)

Your own RC script files should be placed under the /usr/local/etc/rc.d/ folder
And in /etc/rc.conf you add it with 
	
	



```
gelikeys_enables="YES"
```

Sorry for reviving an old thread, but information was missing


----------

