Problem in attaching newly encrypted disk

Allan Fields bsd at
Mon Jul 5 12:26:20 PDT 2004

On Mon, Jul 05, 2004 at 07:31:55PM +0200, tthorsten at wrote:
> >Date: Mon, 5 Jul 2004 12:50:30 -0400
> >From: Allan Fields <bsd at>
> >To: tthorsten at
> >Cc: freebsd-geom at
> >Subject: Re: Problem in attaching newly encrypted disk
> >
> >On Mon, Jul 05, 2004 at 06:26:34PM +0200, tthorsten at wrote:
> >>Hi,
> >>
> >>I have a serious problem after I have done the following steps:
> >>
> >>Initialized new encrypted disk with
> >> gbde init /dev/ad1s1c -i -L /etc/gbde/ad1s1c
> >>  -> sector_size = 2048
> >>  -> one key
> >>
> >>Attached it to the kernel via
> >> gbde attach ad1s1c -l /etc/gbde/ad1s1c
> >>
> >>Created new filesystem with
> >> newfs -U /dev/ad1s1c.bde
> >>
> >>Mounted the filesystem with
> >> mount /dev/ad1s1c.bde /dsk
> >>
> >>Then I put all my private data onto the newly created encrypted disk and
> >>unmounted and detached it from kernel before halting the system.
> >>
> >>When I started the system again and tried to attach the disk again with
> >> gbde attach ad1s1c -l /etc/gbde/ad1s1c
> >>NOTHING HAPPENS! There will no /dev/ad1s1c.bde device there to mount.
> >>The Passphrase is correct!
> >
> >Hmm.. you're volume may be corrupted now, see below..

Before you assume so, maybe think about the password for a while.
Sometimes we can change passwords slightly depending on what hour
they were entered.

You can't totally rule it out that you just didn't remember / type

Closer examination of the usr.sbin/gbde code and some debugging could
narrow down where you are running out of luck during attach.

> >>What went wrong? Does anybody have an answer or is all my data lost?
> >
> >Simple answer: yes, and this is one of the risks with all encrypted
> >file systems.  Probablly quite challenging to get it back absent
> >backups.

> >>I would be very happy, if anybody could help me with this.
> >
> >Is it possible you've written boot code on-top of the encrypted volume?
> >Those strings look to belong to boot loader.
> >
> >You probably shouldn't have used the raw partition for the encrypted 
> >volume,
> >next time disklabel the disk and use /dev/ad1s1a .  I don't know why you
> >want boot code on the second disk anyhow.
> >
> Hmm, seems really to be boot loader code. But I did not use fdisk or 
> disklabel
> after creation of the encrypted disk.

Maybe it isn't overwritten then and you just have boot code left-over
from when you originally labeled the disk.. unless something could
have over-writen, it's hard to think of other likely scenarios.

> Did not know that its better to not use the raw partition :-(

Well, I guess it doesn't matter unless something assumes that it
can write over the first sectors containing your data.

The good news is you still have your lock selector file (-L/-l).

PHK: wouldn't the BDE class / GEOM prevent boot code from being
written to the underlying partition (provider) if it were attached
at the time?

 Allan Fields, AFRSL -
 2D4F 6806 D307 0889 6125  C31D F745 0D72 39B4 5541

More information about the freebsd-geom mailing list