Bug 167429

Summary: geli(8) needs to mention unencrypted /etc/fstab requirement for encrypted root
Product: Documentation Reporter: rsimmons0
Component: Manual PagesAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Some People CC: allanjude, doc, fk, grahamperrin
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description rsimmons0 2012-04-29 18:00:26 UTC 
If you want to boot from an encrypted root partition that is encrypted using geli, you must boot from an unencrypted partition that includes a /boot/ directory and /etc/fstab.

The geli(8) man page mentions the /boot/ directory requirement, but omits the /etc/fstab

Fix: I have attached a patch that mentions the /etc/fstab requirement in the geli(8) man page.

Patch attached with submission follows:
How-To-Repeat: Install FreeBSD onto a geli encrypted provider that was created with "geli init -b"

Then copy only the /boot/ directory to the unencrypted area that you will use to boot.

Boot the machine, and see the errors where it can't find the / partition to decrypt.
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2012-04-29 18:47:54 UTC 
Responsible Changed
From-To: freebsd-doc->eadler

I'll take it.
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2012-09-02 04:09:17 UTC 
Responsible Changed
From-To: eadler->freebsd-doc

I won't be looking at this PR for a while and I need to clear some out 
of my queue
Comment 3 Fabian Keil 2016-04-04 14:46:09 UTC 
An unencrypted /etc/fstab isn't actually necessary, you can specify
the root partition/pool with vfs.root.mountfrom.

For details see:
/boot/defaults/loader.conf
and
/usr/src/sys/kern/vfs_mountroot.c.

I agree that geli(8) could be a bit more specific about how to
boot from an encrypted root partition/pool, though.
Comment 4 Allan Jude freebsd_committer freebsd_triage 2018-06-17 03:16:18 UTC 
Also, geliboot support now exists, which works with an encrypted /etc/fstab
Comment 5 Graham Perrin 2023-09-12 05:11:11 UTC 
Close as overcome by events?
Comment 6 Fabian Keil 2023-09-12 06:34:48 UTC 
I still think geli(8) should be improved.

The "geliboot support" Allan mentioned seems to lack documentation as well.
Comment 7 Graham Perrin 2023-09-12 06:50:55 UTC 
(In reply to Fabian Keil from comment #6)

> I still think geli(8) should be improved. …

Agreed (coincidentally, I asked a question in Discord not long before your comment).

If I understand correctly, such improvements will be out of scope for this bug report: 

>> geli(8) needs to mention unencrypted /etc/fstab requirement for encrypted root
Comment 8 Fabian Keil 2023-09-12 07:05:52 UTC 
I have no strong feelings about whether or not this bug report stays open, but at least on stable/13 geli(8) still doesn't mention /etc/fstab so IMHO the report has not actually been "overcome by events".