gbde and geli - differences

Roland Smith rsmith at
Wed Mar 21 22:15:53 UTC 2007

On Wed, Mar 21, 2007 at 06:33:19PM +0000, RW wrote:
> How do you attach the dvd content?
> # geli attach /dev/cd0
> Cannot read metadata from /dev/cd0: Invalid argument.
> geli attach -r /dev/cd0
> Cannot read metadata from /dev/cd0: Invalid argument.

I get the same error. Odd. I thought I used that trick before. It
definitely works on the USB drives that I use as primary backup (no
memory disk necessary in that case).

The following is what I currently use to make encrypted backups to DVD, because
it requires less interaction;

I bundle appropriate numbers of files and directories up in tarfiles
(bzip2-ed unless it contains photos etc), so that every tarfile is slightly
under DVD size. I've put this in a script, because a lot of my
directories don't grow very fast. Alternatively you can use a tool like
dirsplit ( to make file catalogs.

Next I encrypt every tarfile with ccrypt(1) from ports, because it uses
the Rijndael (aes) cipher. You can use another encryption program if you
like, like enc(1) from OpenSSl with the Blowfish cipher, or gnupg with a
symmetric cipher like aes256 or twofish or blowfish if you don't want to
keep a separate key. Don't use crypt(1) or bdes(1), they're not
considered safe anymore.

The encypted file is then directly burned (as an image) with growisofs.

To extract the contents I use the following command:

cat /dev/cd0|ccrypt -d|tar xjf -

The file is cat-ed because ccrypt doesn't want to open device files.

This might be overkill, depending on who you're trying to protect the
data from. If you burn the unencrypted tarfile to DVD, the average
windows user wouldn't have a clue how to open it. Of course a 'file -s'
would tell any competent sysadmin that you've burned a tarfile. OTOH, if
you encypt the data and forget the keyphrase, your data is lost.

[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list