Last active
July 28, 2018 12:11
-
-
Save mgbowman/57ba135400ef9625af551265ce263155 to your computer and use it in GitHub Desktop.
FreeBSD rc script for unlocking a geli encrypted zvol
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # $FreeBSD$ | |
| # | |
| # PROVIDE: enczfs | |
| # REQUIRE: sshd | |
| # BEFORE: iocage | |
| # KEYWORD: shutdown | |
| # | |
| . /etc/rc.subr | |
| name="enczfs" | |
| rcvar="enczfs_enable" | |
| start_cmd="${name}_start" | |
| start_precmd="${name}_start_precmd" | |
| start_postcmd="${name}_start_postcmd" | |
| stop_cmd="${name}_stop" | |
| #stop_precmd="stop_precmd" | |
| #stop_postcmd="stop_postcmd" | |
| load_rc_config $name | |
| : ${enczfs_enable:=no} | |
| : ${enczfs_pool="enc"} | |
| : ${enczfs_pipe="/tmp/enc.fifo"} | |
| : ${enczfs_keysize="512"} | |
| : ${enczfs_geli_provider="/dev/gpt/enc"} | |
| enczfs_start_precmd() | |
| { | |
| /usr/local/bin/pushover.sh "[`hostname`] Please unlock the zpool $enczfs_pool" | |
| } | |
| enczfs_start_postcmd() | |
| { | |
| /usr/local/bin/pushover.sh "[`hostname`] Successfully unlocked the zpool $enczfs_pool" | |
| } | |
| enczfs_start() | |
| { | |
| echo -n "Unlocking zpool $enczfs_pool... " | |
| mkfifo -m 0664 $enczfs_pipe | |
| while true; do | |
| dd if=$enczfs_pipe bs=$enczfs_keysize count=1 2>/dev/null | geli attach -k - -p $enczfs_geli_provider | |
| if [ $? -eq 0 ]; then | |
| zpool import $enczfs_pool | |
| rm -f $enczfs_pipe | |
| echo "done!" | |
| break | |
| fi | |
| done | |
| } | |
| enczfs_stop() | |
| { | |
| echo -n "Locking zpool $enczfs_pool... " | |
| zpool export $enczfs_pool | |
| geli detach $enczfs_geli_provider.eli | |
| echo "done!" | |
| } | |
| load_rc_config $name | |
| run_rc_command "$1" |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just a quick explanation...
I have a FreeBSD VPS with ZFS on root and wanted an encrypted filesystem. Rather than use GELI whole disk encryption and rely on the security of my VPS provider's console to unlock the zroot, I opted for an encrypted zvol that I can unlock via ssh.
I make use of iocage which sits in the enc zpool. This way all of my "service" data is encrypted and by using the
BEFORE: iocageclause, I'm sure the encrypted zpool is unlocked and available before iocage starts any of my jails.Unlocking is straight forward...
I added the
start_precmd / start_postcmdpushover calls so that I get notified on my phone if for some reason my VPS provider reboots my machine and it blocks waiting to be unlocked.