On Sun, Oct 26, 2014 at 09:19:25PM +0100, Patrik Lundin wrote: > Hello, > > I have a usecase for full disk encryption using softraid where the > keydisk is placed on the same harddrive as the encrypted partition. This > is not for protecting data on the drive in case it gets stolen, but > rather to allow for a quick way of making the data unrecoverable (by > destroying the keydisk and rebooting). > > I am not sure this is even supposed to work, but I have now been trying > to make this work for a few hours and am getting pretty strange results. > > I am currently testing this on a virtual machine which when booted into > the installer has a single physical drive: wd0. > > The way i have been going about this is to start the installer, directly > drop to a shell and then do the following: > # fdisk -iy wd0 > > # disklabel -E wd0 > Create the following partitions (in this order to make the biggest > partition last): > wd0b (swap) > wd0d (RAID) - keydisk (1M) > wd0a (RAID) - the remaining part of the drive that will be encrypted.
I'd use wd0d instead of wd0a, because 'a' is usually expected to contain a root partition, not a softraid volume. That has nothing to do with the problem at hand though. > # bioctl -c C -l /dev/wd0a -k /dev/wd0d softraid0 > > After this sd0 is created, and i exit back to the installer where i > select "install" and answer all the questions as usual. When it asks > for a drive I give it "sd0", and use the automatic partition layout > inside sd0. > > Everything looks good at this point, but when rebooting the bootloader > stops with the following message: > === > Using drive 0, partition 3. > Loading..... > ERR M > === This error means biosboot(8) can't find the boot(8) program. When booting from softraid, the boot program is stored at a particular offset in the softraid meta data area, and installboot(8) patches that offset into biosboot(8) before copying biosboot(8) to the MBR. Apparently, biosboot(8) has the wrong offset in your case. Your report lacks some information: - architecture (i386 / amd64 / ...) - full output of 'disklabel wd0' to show exactly how you configured partitions - output of running installboot with the -v option on the softraid volume: installboot -v sd0 > If I boot back into the the installer at this point sd0 appears > automatically, so even while the bootloader does not like what it finds, > the softraid crypto device is able to assemble itself like it is > supposed to. > > This is where it gets really funky. I _have_ been able to get it to work > using the following schema: > > #1. Install the system with only wd0b (swap) and wd0a (RAID) using a > passphrase. > > #2. Reinstall the system and modify the disklabel to look like: wd0b > (swap), wd0d (RAID, 1M), wd0a. (Like my original plan). > > When I do this the system manages to boot without a passphrase, using > the encrypted drive. I suspect there is a problem in installboot(8) in case the keydisk is on the same disk as the crypto volume. The boot(8) program which is the first program to interpret softraid meta data doesn't even get to run in your case. > It feels to me like the key is that in the above > order, the keydisk (wd0d) will align to the where wd0a with the > passphrase was originally. As if there are some remains that makes it > possible for the bootloader to locate it or something (that is not > overwritten when it is used as the target for the -k argument. > > Any input on this would be greatly appreaciated! > > Regards, > Patrik Lundin
