Encrypted slice with geli

Roland Smith rsmith at xs4all.nl
Wed Apr 22 05:47:36 UTC 2009 

On Wed, Apr 22, 2009 at 02:42:11AM +0200, Bernt Hansson wrote:
> Bill Moran said the following on 2009-04-21 14:41:
> > In response to Bernt Hansson <bernt at bah.homeip.net>:
> > 
> >> Giorgos Keramidas said the following on 2009-04-20 23:59:
> >>> On Mon, 20 Apr 2009 21:38:54 +0200, Bernt Hansson <bernt at bah.homeip.net> wrote:
> >>>> Hello list!
> >>>>
> >>>> I was thinking of makeing a slice encrypted with geli.
> >>>>
> >>>> My question is: does geli init -s 4096 /dev/ad* erase the data on the
> >>>> slice. The handbook didn't say yes or no, and I don't want to try
> >>>> without asking.
> >>> No, 
> >> No, what? does it erase the data or not.
> > 
> > It depends on exactly what part of the process you're talking about
> 
> 
> My question is: does geli init -s 4096 /dev/ad* erase the data on the
> slice

It only uses the last sector to store the metadata. See geli(8).

> > and it depends on exactly what you mean by "erase".
> 
> Destroy it so it's no longer aviable.
> 
> > Geli doesn't explicitly destroy your data at any point in the process.
> > However, most HOWTOs I've ready will tell you at some step or another
> > to overwrite the partition using dd and /dev/zero, which _does_
> > destroy the data.
> 
> Yes. That much I do know.
> 
> > Also, even if you skip the dd step, geli will alter the partition in
> > such a way that typical tools will not see the data.  However, if you
> > know your stuff, you can bypass normal tools and still read (part of?)
> > the data.
> 
> Not good.

Hence the advice to overwrite the partition with zeros beforehand.

> > If your question is, "I'm switching a partition to using geli, do I
> > need to back up my data before doing so?" the answer is YES!
> 
> I do NOT want to backup the data unencrypted.

Then get an encrypted backup. E.g. a disk with a USB connection that you
can encrypt and use it as back-up.

If you want to convert a filesystem in-place, I don't think that's
possible with the current tools. But it might be possible to create a
tool to do that. That tool should do the following:

initialize and attach the geli provider.
(daXs1a is the unencrypted partition)
(N is the number of sectors on that partition)
for k=1 to N-1 do
    read sector k from device daXs1a
    write sector k to device daXs1a.eli
done

Note that this is kinda fragile. One botched sector and there will be
trouble. It is also not optimized, because it will also encrypt sectors
that aren't in use in the original filesystem.

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090422/06be1458/attachment.pgp

More information about the freebsd-questions mailing list