Create new geli file system using existing key
dpchrist at holgerdanske.com
Mon Sep 21 05:55:20 UTC 2020
On 2020-09-20 12:44, Kevin Oberman wrote:
> After thinking about this a bit longer, it's not really hard to do what I
> need to do using the resize command. More significantly, I really don't
> need to do this.
> Quick explanation of why this would be "helpful". I backup using rsync to a
> USB disk. I simply attach and mount the USB partition and fire up the
> synchronization (with a number of options and exceptions). It's convenient
> to have a single key file on thumb drive (geli attach -d
> -k/media/keys/FILENAME) with that command as an alias so I just type
> "gattach /dev/gpt/PARTITION". Hey, I'm lazy. A keystroke saved is a
> keystroke earned!
> I plan to change the alias to a very short script to pick the correct key
> for the operating and backup partitions. What I type won't change.
So, your backup media is USB hard disk drives, each drive has a GELI
provider (containing a filesystem), the GELI keyfile is on a USB flash
drive, and you have a script "gattach" that attaches the backup disk
GELI providers using the keyfile (?).
I do not believe you need (or want) to have identical GELI metadata on
the USB hard disk drives. I believe you just need to specify the same
keyfile when you create each GELI provider.
Also, I also do not believe you need to resize. When you provision a
device as backup media, partition it to use all or most of the available
space, create a GELI provider using the keyfile on the USB flash drive
and a passphrase you have memorized, attach the GELI provider, and
create a filesystem. Done this way, connecting multiple backup drives,
attaching multiple backup GELI containers, and mounting multiple backup
filesystems at the same time should not be a problem.
I presume you have (encrypted) backups of the keyfile (!).
Alternatively, GELI has two "slots" and you can put a (strong)
passphrase alone into the second slot. That way, if you lose everything
except one backup drive and the second passphrase, you can still recover.
More information about the freebsd-questions