Create new geli file system using existing key

David Christensen dpchrist at
Mon Sep 21 05:55:20 UTC 2020

On 2020-09-20 12:44, Kevin Oberman wrote:
> After thinking about this a bit longer, it's not really hard to do what I
> need to do using the resize command. More significantly, I really don't
> need to do this.
> Quick explanation of why this would be "helpful". I backup using rsync to a
> USB disk. I simply attach and mount the USB partition and fire up the
> synchronization (with a number of options and exceptions). It's convenient
> to have a single key file on thumb drive (geli attach -d
> -k/media/keys/FILENAME) with that command as an alias so I just type
> "gattach /dev/gpt/PARTITION". Hey, I'm lazy. A keystroke saved is a
> keystroke earned!
> I plan to change the alias to a very short script to pick the correct key
> for the operating and backup partitions. What I type won't change.

So, your backup media is USB hard disk drives, each drive has a GELI 
provider (containing a filesystem), the GELI keyfile is on a USB flash 
drive, and you have a script "gattach" that attaches the backup disk 
GELI providers using the keyfile (?).

I do not believe you need (or want) to have identical GELI metadata on 
the USB hard disk drives.  I believe you just need to specify the same 
keyfile when you create each GELI provider.

Also, I also do not believe you need to resize.  When you provision a 
device as backup media, partition it to use all or most of the available 
space, create a GELI provider using the keyfile on the USB flash drive 
and a passphrase you have memorized, attach the GELI provider, and 
create a filesystem.  Done this way, connecting multiple backup drives, 
attaching multiple backup GELI containers, and mounting multiple backup 
filesystems at the same time should not be a problem.

I presume you have (encrypted) backups of the keyfile (!).

Alternatively, GELI has two "slots" and you can put a (strong) 
passphrase alone into the second slot.  That way, if you lose everything 
except one backup drive and the second passphrase, you can still recover.


More information about the freebsd-questions mailing list