freebsd stable - Mar 2008 - Using /etc/rc.d/geli with labeled devices on 6.3

Hi,

given that /dev/ad12 is a geli encryptet device, you might set up
/etc/rc.conf like

geli_enable="YES"
geli_devices="ad12"
geli_ad12_flags="-k /root/keys/geli.ad12.key"

I don't like absolute device names (they might change) so I label them
e.g. FOOcrypt so it show up like /dev/label/FOOcrypt

Attaching the FOOcrypt manually works like

# geli attach -k /root/geli.FOO.key /dev/label/FOOcrypt 
Enter passphrase:

The UFS on /dev/label/FOOcrypt.eli is labeled FOO[1]  so 
it will be available on /dev/ufs/FOO and can be mounted:

# mount /dev/ufs/FOO

How should I set up /etc/rc.conf to get this by /etc/rc.d/geli on boot?

geli_enable="YES"
geli_devices="label/FOOcrypt"
geli_label/FOOcrypt_flags="-k /root/keys/geli.FOO.key"
     ^^^^^^^^^^^^^^ 
This won't work. How?

TIA.

Regards
Raphael Becker

[1] newfs -L FOO ... /dev/label/FOOcrypt.eli --> /dev/ufs/FOO

-- 
Raphael Becker          <rabe@uugrn.org>          http://rabe.uugrn.org/
GnuPG:                E7B2 1D66 3AF2 EDC7 9828  6D7A 9CDA 3E7B 10CA 9F2D
.........|.........|.........|.........|.........|.........|.........|..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080318/40bc51a6/attachment.pgp

On Tue, Mar 18, 2008 at 04:04:52PM +0100, Raphael Becker wrote:

[ getting /dev/label/FOOcrypt.eli configured through /etc/rc.d/geli ]
> How should I set up /etc/rc.conf to get this by /etc/rc.d/geli on boot?
> 
> geli_enable="YES"
> geli_devices="label/FOOcrypt"
> geli_label/FOOcrypt_flags="-k /root/keys/geli.FOO.key"
>      ^^^^^^^^^^^^^^ 
> This won't work. How?
geli_label_FOOcrytp_flags="-k /root/keys/geli.FOO.key" 
         ^^^

from /etc/rc.d/geli:
        provider_=`ltr ${provider} '/' '_'`
        eval "flags=\${geli_${provider_}_flags}"

Seems to work. This should be documented in rc.conf(5) as ppl who use 
'geli' for encryption might also know about and use 'glabel'.

Regards
Raphael Becker
-- 
Raphael Becker          <rabe@uugrn.org>          http://rabe.uugrn.org/
GnuPG:                E7B2 1D66 3AF2 EDC7 9828  6D7A 9CDA 3E7B 10CA 9F2D
.........|.........|.........|.........|.........|.........|.........|..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080320/393e7447/attachment.pgp