From owner-freebsd-questions@FreeBSD.ORG Thu Feb 27 16:18:58 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C10735B for ; Thu, 27 Feb 2014 16:18:58 +0000 (UTC) Received: from alogt.com (alogt.com [69.36.191.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 73BF916F4 for ; Thu, 27 Feb 2014 16:18:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=alogt.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=kWGZDUwByZI3r7ng4Y0aXl9//+a9RKRhee7xEWY+DBA=; b=QvG4EaLmhsUW2mGnGKOkzkRyepXHhxVa04JtIbipnj3aLCDKIG5Z/lCc+v8W/2/iDheN7xwe/0pcVJpGyxCyOqIzEED9UBizFrl1I9rt8a9hUH7ahSNBm3eXdVNPk389/to8sJB1DdEjeDhUiVqRKwO39pSTtynIQTHnjws8DUE=; Received: from [39.209.121.124] (port=43111 helo=X220.alogt.com) by sl-508-2.slc.westdc.net with esmtpsa (SSLv3:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1WJ2vO-0012Tb-6v; Thu, 27 Feb 2014 08:31:03 -0700 Date: Thu, 27 Feb 2014 23:30:53 +0800 From: Erich Dollansky To: Polytropon Subject: Re: Simple disk encryption for off-site backup Message-ID: <20140227233053.03e44b32@X220.alogt.com> In-Reply-To: <20140227045904.5ba67227.freebsd@edvax.de> References: <20140227045904.5ba67227.freebsd@edvax.de> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sl-508-2.slc.westdc.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - alogt.com X-Get-Message-Sender-Via: sl-508-2.slc.westdc.net: authenticated_id: erichsfreebsdlist@alogt.com X-Source: X-Source-Args: X-Source-Dir: Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2014 16:18:58 -0000 Hi, On Thu, 27 Feb 2014 04:59:04 +0100 Polytropon wrote: > I'm planning to add a new disk next month to my home setup. > It should be an external USB disk for off-site (really!) > backup. That's why I would like to see the content encrypted. > I have no problem with entering a long passphrase when mounting > the disk for backup or restore operations, and probably I would > not feel safe enough by just using keys (stored somewhere). > The file system will be UFS, so there is no need to worry that > some other OS or "Windows" would not be able to read it. :-) > > My question is: What is the _easiest_ mechanism to initialize > a disk for encrypted use? It should work with FreeBSD 9 and 10 > in the first place. > > I use geli. There is a huge problem in geli which is not documented. If you create a container with FreeBSD 10, FreeBSD 9 will not be able access it. You must use the oldest version of FreeBSD which is supposed to work with the disk to create the encrypted container. This would be 9.x in your case. Erich