Date: Tue, 18 Jan 2011 00:17:42 +0100 From: Roland Smith <rsmith@xs4all.nl> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: harddrive encryption Message-ID: <20110117231742.GB40523@slackbox.erewhon.net> In-Reply-To: <20110117223838.GA4732@libertas.local.camdensoftware.com> References: <4D34A6EF.30600@alokat.org> <7DC710B0-A2F3-4FAD-A308-05E9299E9188@mac.com> <20110117223838.GA4732@libertas.local.camdensoftware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--+g7M9IMkV8truYOl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 17, 2011 at 02:38:38PM -0800, Chip Camden wrote: > Quoth Chuck Swiger on Monday, 17 January 2011: > > On Jan 17, 2011, at 12:30 PM, Alokat wrote: > > > is it possible to encrypt my full harddrive (excluding /boot) during = a freebsd installation. Or do I have to do this after the installation manu= ally? > >=20 > > I don't believe the current installer knows about HD encryption. Do it= after the install by following the fine documentation in the handbook: > >=20 > > http://www.freebsd.org/doc/handbook/disks-encrypting.html > >=20 > > Regards, >=20 > One thing I don't get from that fine documentation: is it possible to > take an existing hard drive with data and encrypt it? Or do I have to > create a new encrypted partition and copy all the files to it? It is not supported to encrypt in-situ, to the best of my knowledge. But th= at does not make it impossible. The question is if it is worth the risk? :-) If you use geli(8) on e.g. /dev/da0s1, an encrypted device /dev/da0s1.eli is created. The last sector of /dev/da0s1 is used to store the GEOM data, so /dev/da0s1.eli is a sector smaller than /dev/da0s1. But the devices overlap. If you are _certain_ that the original filesystem on /dev/da0s1 do= es not use the last sector, you might get away with copying the data from /dev/da0s1 to /dev/da0s1.eli sequentually. (As in read sector N..M from da0= s1 into memory, and write it to sector N..M of /dev/da0s1.eli, then make N=3DM= +1 and repeat.) But be _very_ careful not to overwrite the last sector of /dev/da0s1, or you will lose the GEOM data that identifies /dev/da0s1.eli, making it unusable. The problem here is that you are probably going to many copy sectors that a= re not used by the original filesystem. (Keep in mind that as soon as you start writing to the start of /dev/da0s1.eli, the _filesystem_ on /dev/da0s1 beco= mes corrupted and useless) And it would be wise to make a backup of the data before trying something l= ike this! Since you are making a backup, why not just run geli(8), newfs(8) the new encrpyted partition and restore the data? I don't think it is much slower, = and it is a _lot_ safer. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --+g7M9IMkV8truYOl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iEYEARECAAYFAk00zhYACgkQEnfvsMMhpyUtoACdFEGmAvO8BxH4qd8MxyWUQKy4 HjAAn2Qd3gDu14rgDUJQ5kRTde3llanG =JQna -----END PGP SIGNATURE----- --+g7M9IMkV8truYOl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110117231742.GB40523>