Page MenuHomeFreeBSD

Allow to verify keys in geli.
ClosedPublic

Authored by oshogbo on Apr 7 2018, 9:55 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 22, 6:17 PM
Unknown Object (File)
Oct 10 2024, 6:51 PM
Unknown Object (File)
Oct 1 2024, 9:55 PM
Unknown Object (File)
Sep 18 2024, 12:39 AM
Unknown Object (File)
Sep 15 2024, 4:01 AM
Unknown Object (File)
Sep 12 2024, 1:05 PM
Unknown Object (File)
Sep 5 2024, 1:48 AM
Unknown Object (File)
Sep 4 2024, 2:23 PM
Subscribers

Details

Summary

Introduce dry run options in geli attach.
This will allow us to verify if passphrase and key is valid without need to decrypt whole device.
This can be useful for example when we changed key and we wan't to verify it.
The device for this can be mounted or not.

Next step will be to introduce an optional flag to say which slot to use.
This can be useful to verify as well as in normal decryption.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

sbin/geom/class/eli/geli.8
427–428

What is the problem with -r -n?

-r just modifies attach to be readonly, and -n uses the device read-only. Right?

Even -d is just a modifier for attach, and dry run overrides. I don't really see a need to enforce exclusive use of these options.

sys/geom/eli/g_eli_ctl.c
96

Probably this should be if (*dryrun && (*detach || *readonly)) if we actually want to enforce the constraint.

Maybe an if (*detach && *readonly) check is needed too. But as-is is wrong.

sbin/geom/class/eli/geli.8
425

without decrypting *the* device

427–428

If we are going to keep this, it should probably say *or* instead of and

oshogbo marked 4 inline comments as done.

Thanks @cem and @allanjude

sbin/geom/class/eli/geli.8
427–428

Yea I was unsure about that but because it's just dry-run we should allow any flags.

This revision is now accepted and ready to land.Apr 9 2018, 8:41 PM

Thanks for working on this

This revision was automatically updated to reflect the committed changes.