How to change passphrase for FreeBSD 11.0 encrypted ZFS root?
David Christensen
I have a FreeBSD 11.0 i386 machine with encrypted ZFS on root and
encrypted swap as created by the FreeBSD installer. I would like to
change the root password. I issued the following command:
toor@freebsd:/root # geli setkey -n 0 /dev/ada0s1d
Enter new passphrase:
Reenter new passphrase:
Note, that the master key encrypted with old keys and/or passphrase may
still exists in a metadata backup file.
Now when I boot, I enter the passphrase at the boot menu, a bunch of
stuff scrolls by, and then I see:
Enter passphrase for ada0s1d:
I enter the new passphrase and I see:
GEOM_ELI: Wrong key for ada0s1d. Tries left: 2.
Enter passphrase for ada0s1d:
I enter it again and I see:
GEOM_ELI: Wrong key for ada0s1d. Tries left: 1.
Enter passphrase for ada0s1d:
I enter the old passphrase and I see:
GEOM_ELI: Wrong key for ada0s1d. No tries left.
Mounting from zfs:zroot/ROOT/default failed with error 2.
I am then presented with some brief documentation and a prompt:
mountroot>
If I enter "?" to get a list of valid disk boot devices, I see:
List of GEOM managed disk devices:
ada0s1d ada0s1b ada0s1a ada0s1 ada0 cd0
I do not see ada0s1d.eli, which should be my decrypted root file system.
I have rebooted and tried more than once -- same result.
It would be useful to know why GELI for the root device is now broken,
and if it is possible to fix it (other than re-imaging/ re-installing).
What is the correct way to change the passphrase for FreeBSD 11.0
encrypted ZFS root?
Is this specific use-case documented anywhere?
David
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
Jov
key files in /boot dir,the key file name is set in /boot/loader.conf, you
shoud remove the settings if you not set it.
David Christensen
> On 06/14/2017 2:20 PM,"David Christensen wrote:
>> I issued the following command:
>>
>> toor@freebsd:/root # geli setkey -n 0 /dev/ada0s1d Enter new
>> passphrase: Reenter new passphrase: Note, that the master key
>> encrypted with old keys and/or passphrase may still exists in a
>> metadata backup file.
>>
>> Now when I boot, I enter the passphrase at the boot menu, a bunch
>> of stuff scrolls by, and then I see:
>>
>> Enter passphrase for ada0s1d:
>>
>> I enter the new passphrase and I see:
>>
>> GEOM_ELI: Wrong key for ada0s1d. Tries left: 2. Enter passphrase
>> for ada0s1d:
>
> will read key files in /boot dir,the key file name is set in
> /boot/loader.conf, you shoud remove the settings if you not set it.
Thank you for the clue.
I would now like to edit /boot/loader, to see if I can adjust the
settings so that GELI will decrypt my root partition using just a
passphrase.
When I boot the FreeBSD 11.0 i386 installer into single-user mode:
# mount /dev/ada0s1a /mnt
mount /dev/ada0s1a: Invalid argument
Why is mount(8) complaining?
# ls -l /dev/ada0s1a
crw-r----- 1 root operator 0x5b Jun 14 15:53 /dev/ada0s1a
Jov
What's the output of gpart show?
Jov
David Christensen
> On 06/14/2017 12:13 AM,David Christensen wrote:
>> I would now like to edit /boot/loader, to see if I can adjust the settings
>> so that GELI will decrypt my root partition using just a passphrase.
>>
>> When I boot the FreeBSD 11.0 i386 installer into single-user mode:
>>
>> # mount /dev/ada0s1a /mnt
>> mount /dev/ada0s1a: Invalid argument
>>
>> Why is mount(8) complaining?
>>
>> # ls -l /dev/ada0s1a
>> crw-r----- 1 root operator 0x5b Jun 14 15:53 /dev/ada0s1a
>
> What's the output of gpart show?
Thank you for your reply. Here is the relevant output:
# gpart show
=> 63 31277169 ada0 MBR (15G)
63 1 - free - (512B)
64 31277160 1 freebsd [active] (15G)
31277224 8 - free - (4.0K)
=> 0 31277160 ada0s1 BSD (15G)
0 4194304 1 freebsd-zfs (2.0G)
4194304 4194304 2 freebsd-swap (2.0G)
8388608 22888544 4 freebsd-zfs (11G)
31277152 8 - free -
...
So, it looks like ada0s1a is a ZFS VDEV. That explains why mount is
complaining.
Trying another approach:
# zpool list
no pools available
# zpool import
pool: bootpool
id: <redacted>
state: ONLINE
action: The pool can be imported using its name or numeric identifier.
config:
bootpool ONLINE
ada0s1a ONLINE
# zpool import bootpool
cannot mount '/bootpool': failed to create mountpoint
# zpool status
pool: bootpool
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
bootpool ONLINE 0 0 0
ada0s1a ONLINE 0 0 0
errors: No known data errors
# find / -name bootpool
<nothing>
Exporting and attempting to import under /tmp produces similar results:
# zpool export bootpool
# zpool list
no pools available
# zpool import -R /tmp bootpool
cannot mount '/tmp/bootpool': failed to create mountpoint
# zpool status
pool: bootpool
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
bootpool ONLINE 0 0 0
ada0s1a ONLINE 0 0 0
errors: No known data errors
# find / -name bootpool
<nothing>
How do I import and mount bootpool?
David
p.s. You and/or your mailer are not following the apparent style
conventions of this mailing list:
1. "Interleaved posting" style:
https://en.wikipedia.org/wiki/Posting_style
2. Omitting sender's e-mail address in replies.
3. Indenting sender's text in replies.
4. Removing obsolete text in replies as the discussion progresses.
But, I see no mention of the above style conventions on the mailing list
info page:
https://www.freebsd.org/community/mailinglists.html
I have repaired your replies in my replies (twice). I request that you
reconfigure your mailer and follow convention to improve readability and
avoid unnecessary re-work.
David Christensen
I have a FreeBSD 11.0 RELEASE i386 system that I created using the
FreeBSD installer (FreeBSD-11.0-RELEASE-i386-memstick.img):
Partitioning Auto (ZFS)
ZFS Configuration
Pool Type/Disks Stripe 1 Disk
Virtual Device type stripe
(device) ada0
Pool Name zroot
Force 4K Sectors YES
Encrypt Disks YES
Partition Scheme MBR (BIOS)
Swap Size 2g
Mirror Swap NO
Encrypt Swap YES
Install Proceed with Installation
I broke the system by attempting to change the root pool passphrase. I
might be able to fix it if I can edit /boot/loader.conf.
Booting the FreeBSD installer into multi-user mode and then going to a
shell:
# zpool list
no pools available
# zpool import
pool: bootpool
id: <redacted>
state: ONLINE
action: The pool can be imported using its name or numeric identifier.
config:
bootpool ONLINE
ada0s1a ONLINE
# zpool import bootpool
use '-f' to import anyway
# zpool import -f bootpool
cannot mount '/bootpool': failed to created mountpoint
Choosing Live CD produces the same end result.
I previously obtained the same end result by booting into single-user mode.
How do I import and mount bootpool using the installer that created it?
Jim Ohlstein
# zpool import -f -o mountpoint=/mnt bootpool
--
Jim Ohlstein
Profesional Mailman Hosting
https://mailman-hosting.com
David Christensen
Booting FreeBSD 11.0 RELEASE i386 installer into single-user mode and
accepting default shell:
# zpool import -f -o mountpoint=/mnt bootpool
Please consider adding 'options KSTACK_PAGES=4' to your kernel config
ZFS NOTICE: Prefetch is disabled by default on i386 -- to enable, add
"vfs.zfs.prefetch_disable=0" to /boot/loader.conf.
ZFS WARNING: Recommended minimum kmem_size is 512 MB; expect unstable
behavior. Consider tuning vm.kmem_size and vm.kmem_size_max in
/boot/loader.conf.
ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
property 'mountpoint' is not a valid pool property
David
Jim Ohlstein
# zfs get mountpoint zroot
NAME PROPERTY VALUE SOURCE
zroot mountpoint /zroot local
David Christensen
latter.
2. "mountpoint" is a ZFS Native Property, not a ZFS pool property:
http://docs.oracle.com/cd/E23824_01/html/821-1448/gazss.html#gcfgr
https://docs.oracle.com/cd/E19120-01/open.solaris/817-2271/6mhupg6jv/index.html#gfiex
3. The installer environment is going to be different than a "normal"
FreeBSD system.
Digging some more:
# mount
/dev/ufs/FreeBSD_Install on / (ufs, local, noatime, read-only)
devfs on /dev (devfs, local, multilabel)
/dev/md0 on /var (ufs, local)
/dev/md1 on /tmp (ufs, local)
So, the installer provides a read-only root file system, overlaid with a
devfs for /dev, a memory file system for /var, and a memory file system
for /tmp.
Perhaps if I create a mount point within /tmp, since it's writable, and
then import bootpool using an alternate root:
http://docs.oracle.com/cd/E19253-01/819-5461/gbcgl/index.html
# mkdir /tmp/bootpool
# zpool import -R /tmp/bootpool bootpool
# zpool list bootpool
NAME SIZE ALLOC FREE EXPANDSZ FRAG CAP DEDUP HEALTH
ALTROOT
bootpool 1.98G 128M 1.86G - 7% 6% 1.00x ONLINE
/tmp/bootpool
Now I can edit loader.conf:
# cd /tmp/bootpool/bootpool/boot
# ls -l loader.conf
-rw-r--r-- 1 root wheel 517 Jan 25 19:36 loader.conf
# cp loader.conf loader.con-20170125-1936
# vi loader.conf
### 20170614 dpchrist - don't use keyfile for root pool
#geli_ada0s1d_keyfile0_load="YES"
#geli_ada0s1d_keyfile0_type="ada0s1d:geli_keyfile0"
#geli_ada0s1d_keyfile0_name="/boot/encryption.key"
Change directory out and export the pool:
# cd
# pwd
/
# zpool export bootpool
# zpool list
no pools available
One last step:
toor@freebsd:/boot # zpool import bootpool
Reboot -- everything is there:
toor@freebsd:~ # zpool list
NAME SIZE ALLOC FREE EXPANDSZ FRAG CAP DEDUP HEALTH
ALTROOT
bootpool 1.98G 128M 1.86G - 7% 6% 1.00x ONLINE -
zroot 10.9G 5.11G 5.76G - 45% 47% 1.00x ONLINE -
toor@freebsd:~ # mount | egrep '^(zroot |bootpool)'
bootpool on /bootpool (zfs, local, nfsv4acls)
zroot on /zroot (zfs, local, noatime, nfsv4acls)
Thanks everyone for the help. :-)
David