Bug 167429 - geli(8) needs to mention unencrypted /etc/fstab requirement for encrypted root
Summary: geli(8) needs to mention unencrypted /etc/fstab requirement for encrypted root
Status: Open
Alias: None
Product: Documentation
Classification: Unclassified
Component: Manual Pages (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-29 18:00 UTC by rsimmons0
Modified: 2018-06-17 03:16 UTC (History)
3 users (show)

See Also:


Attachments
file.diff (567 bytes, patch)
2012-04-29 18:00 UTC, rsimmons0
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rsimmons0 2012-04-29 18:00:26 UTC
If you want to boot from an encrypted root partition that is encrypted using geli, you must boot from an unencrypted partition that includes a /boot/ directory and /etc/fstab.

The geli(8) man page mentions the /boot/ directory requirement, but omits the /etc/fstab

Fix: I have attached a patch that mentions the /etc/fstab requirement in the geli(8) man page.

Patch attached with submission follows:
How-To-Repeat: Install FreeBSD onto a geli encrypted provider that was created with "geli init -b"

Then copy only the /boot/ directory to the unencrypted area that you will use to boot.

Boot the machine, and see the errors where it can't find the / partition to decrypt.
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2012-04-29 18:47:54 UTC
Responsible Changed
From-To: freebsd-doc->eadler

I'll take it.
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2012-09-02 04:09:17 UTC
Responsible Changed
From-To: eadler->freebsd-doc

I won't be looking at this PR for a while and I need to clear some out 
of my queue
Comment 3 Fabian Keil 2016-04-04 14:46:09 UTC
An unencrypted /etc/fstab isn't actually necessary, you can specify
the root partition/pool with vfs.root.mountfrom.

For details see:
/boot/defaults/loader.conf
and
/usr/src/sys/kern/vfs_mountroot.c.

I agree that geli(8) could be a bit more specific about how to
boot from an encrypted root partition/pool, though.
Comment 4 Allan Jude freebsd_committer 2018-06-17 03:16:18 UTC
Also, geliboot support now exists, which works with an encrypted /etc/fstab