Encrypted slice with geli

Bill Moran wmoran at potentialtech.com
Tue Apr 21 12:41:31 UTC 2009

In response to Bernt Hansson <bernt at bah.homeip.net>:

> Giorgos Keramidas said the following on 2009-04-20 23:59:
> > On Mon, 20 Apr 2009 21:38:54 +0200, Bernt Hansson <bernt at bah.homeip.net> wrote:
> >> Hello list!
> >>
> >> I was thinking of makeing a slice encrypted with geli.
> >>
> >> My question is: does geli init -s 4096 /dev/ad* erase the data on the
> >> slice. The handbook didn't say yes or no, and I don't want to try
> >> without asking.
> > 
> > No, 
> No, what? does it erase the data or not.

It depends on exactly what part of the process you're talking about,
and it depends on exactly what you mean by "erase".

Geli doesn't explicitly destroy your data at any point in the process.
However, most HOWTOs I've ready will tell you at some step or another
to overwrite the partition using dd and /dev/zero, which _does_
destroy the data.

Also, even if you skip the dd step, geli will alter the partition in
such a way that typical tools will not see the data.  However, if you
know your stuff, you can bypass normal tools and still read (part of?)
the data.

So, if your question is "I want to securely destroy the data on a 
partition, can geli do that?" the answer is No.

If your question is, "I'm switching a partition to using geli, do I
need to back up my data before doing so?" the answer is YES!

> But I want to keep the info on the slice.

Then you need to copy it elsewhere, then copy it back after the slice
is encrypted.

Bill Moran

More information about the freebsd-questions mailing list