harddrive encryption

Roland Smith rsmith at xs4all.nl
Mon Jan 17 23:17:44 UTC 2011 

On Mon, Jan 17, 2011 at 02:38:38PM -0800, Chip Camden wrote:
> Quoth Chuck Swiger on Monday, 17 January 2011:
> > On Jan 17, 2011, at 12:30 PM, Alokat wrote:
> > > is it possible to encrypt my full harddrive (excluding /boot) during a freebsd installation. Or do I have to do this after the installation manually?
> > 
> > I don't believe the current installer knows about HD encryption.  Do it after the install by following the fine documentation in the handbook:
> > 
> >   http://www.freebsd.org/doc/handbook/disks-encrypting.html
> > 
> > Regards,
> 
> One thing I don't get from that fine documentation:  is it possible to
> take an existing hard drive with data and encrypt it?  Or do I have to
> create a new encrypted partition and copy all the files to it?

It is not supported to encrypt in-situ, to the best of my knowledge. But that
does not make it impossible. The question is if it is worth the risk? :-)

If you use geli(8) on e.g. /dev/da0s1, an encrypted device /dev/da0s1.eli is
created. The last sector of /dev/da0s1 is used to store the GEOM data, so
/dev/da0s1.eli is a sector smaller than /dev/da0s1. But the devices
overlap. If you are _certain_ that the original filesystem on /dev/da0s1 does
not use the last sector, you might get away with copying the data from
/dev/da0s1 to /dev/da0s1.eli sequentually. (As in read sector N..M from da0s1
into memory, and write it to sector N..M of /dev/da0s1.eli, then make N=M+1
and repeat.) But be _very_ careful not to overwrite the last sector of
/dev/da0s1, or you will lose the GEOM data that identifies /dev/da0s1.eli,
making it unusable.

The problem here is that you are probably going to many copy sectors that are
not used by the original filesystem. (Keep in mind that as soon as you start
writing to the start of /dev/da0s1.eli, the _filesystem_ on /dev/da0s1 becomes
corrupted and useless)

And it would be wise to make a backup of the data before trying something like
this!

Since you are making a backup, why not just run geli(8), newfs(8) the new
encrpyted partition and restore the data? I don't think it is much slower, and
it is a _lot_ safer.

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20110117/5be8e34f/attachment.pgp

More information about the freebsd-questions mailing list