Author: Sean Language: text
Description: GELI Timestamp: 2014-08-07 17:50:39 +0000
View raw paste Reply
  1. I have the following disk setup in my server:
  2.  
  3. 2 x SSD drives in a ZFS mirror
  4. 1 x SATA drive (just a single disk with ZFS)
  5. All the above drives are encrypted using GELI. (I use an unencrypted USB for /boot)
  6.  
  7. My ZFS root sits on the mirrored SSD drives. All the drives are encrypted and use the same encryption key. Yesterday I rebooted my server after applying the latest security updates and the first disk would not accept the password no matter how many times I tried. Therefore after booting up my ZFS root mirror was broken.
  8.  
  9. Here's where it gets even weirder. After booting up when my ZFS mirror was broken (since the first disk in the mirror couldn't be unlocked/decrypted using the password I normally use at bootup) but if I run geli attach -k /boot/bootdir/encryption.key /dev/da0p1.eli and enter the exact same password that I tried at bootup, it works! After that I bring the disk online and the ZFS mirror resilvers and all is good. This is worrying however as, if the second disk fails and I reboot I won't be able to boot up the machine.
  10.  
  11. So why can't I decrypt the one disk at bootup? I know I am entering the correct password as the other two disks decrypt fine. In the past I have decrypted all three disks when rebooting with no issues at all and my /boot/loader.conf hasn't changed. I am running FreeBSD 10.0-STABLE amd64 with a generic kernel.
  12.  
  13. Any ideas?? Is this a bug? Will it be fixed in 10.1 maybe?
View raw paste Reply