geli metadata backup
Robert Simmons
rsimmons0 at gmail.com
Mon Mar 5 15:37:13 UTC 2012
On Mon, Mar 5, 2012 at 7:52 AM, RW <rwmaillists at googlemail.com> wrote:
> On Sat, 3 Mar 2012 17:24:15 -0500
> Robert Simmons wrote:
>
>> What exactly is contained in the metadata backup
>> file /var/backups/_prov_.eli ?
>
> I don't know exactly what's in the metadata, but the most important
> thing is that it contains copies of the master key encrypted with the
> user keys. If the metadata sector on the partition is corrupted then
> you can't access your data.
As far as I can tell, the metadata backup is made when the provider is
created. It is only updated when the keys/passphrases change or if
the volume size is changed. It doesn't have a component that is
updated constantly, correct?
>
>> Obviously, since I keep /var inside of the encrypted provider, the
>> default location is a bad place for a backup. Where would a good
>> location be to save this metadata using the -B switch for geli init
>> other than the default?
>
> Anywhere you like except inside the volume it backs-up - preferably
> offline. It is also somewhat sensitive. If someone else has the
> metadata and the passphrase/keyfile, then changing or deleting the key
> on disk wont help - you would have to dump the data and create a new
> geli partition.
I gather that the best thing to do would be to write this backup file
to a USB key when the provider is created then store that somewhere
safe with maybe another copy burned to a CD for added safety, correct?
More information about the freebsd-geom
mailing list