From owner-freebsd-questions@FreeBSD.ORG Mon Jan 17 23:17:44 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8091F106566C for ; Mon, 17 Jan 2011 23:17:44 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr4.xs4all.nl (smtp-vbr4.xs4all.nl [194.109.24.24]) by mx1.freebsd.org (Postfix) with ESMTP id 173B98FC0A for ; Mon, 17 Jan 2011 23:17:43 +0000 (UTC) Received: from slackbox.erewhon.net (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr4.xs4all.nl (8.13.8/8.13.8) with ESMTP id p0HNHgOQ062763 for ; Tue, 18 Jan 2011 00:17:42 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.erewhon.net (Postfix, from userid 1001) id 7963DBA93; Tue, 18 Jan 2011 00:17:42 +0100 (CET) Date: Tue, 18 Jan 2011 00:17:42 +0100 From: Roland Smith To: FreeBSD Questions Message-ID: <20110117231742.GB40523@slackbox.erewhon.net> References: <4D34A6EF.30600@alokat.org> <7DC710B0-A2F3-4FAD-A308-05E9299E9188@mac.com> <20110117223838.GA4732@libertas.local.camdensoftware.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+g7M9IMkV8truYOl" Content-Disposition: inline In-Reply-To: <20110117223838.GA4732@libertas.local.camdensoftware.com> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: by XS4ALL Virus Scanner Subject: Re: harddrive encryption X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2011 23:17:44 -0000 --+g7M9IMkV8truYOl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 17, 2011 at 02:38:38PM -0800, Chip Camden wrote: > Quoth Chuck Swiger on Monday, 17 January 2011: > > On Jan 17, 2011, at 12:30 PM, Alokat wrote: > > > is it possible to encrypt my full harddrive (excluding /boot) during = a freebsd installation. Or do I have to do this after the installation manu= ally? > >=20 > > I don't believe the current installer knows about HD encryption. Do it= after the install by following the fine documentation in the handbook: > >=20 > > http://www.freebsd.org/doc/handbook/disks-encrypting.html > >=20 > > Regards, >=20 > One thing I don't get from that fine documentation: is it possible to > take an existing hard drive with data and encrypt it? Or do I have to > create a new encrypted partition and copy all the files to it? It is not supported to encrypt in-situ, to the best of my knowledge. But th= at does not make it impossible. The question is if it is worth the risk? :-) If you use geli(8) on e.g. /dev/da0s1, an encrypted device /dev/da0s1.eli is created. The last sector of /dev/da0s1 is used to store the GEOM data, so /dev/da0s1.eli is a sector smaller than /dev/da0s1. But the devices overlap. If you are _certain_ that the original filesystem on /dev/da0s1 do= es not use the last sector, you might get away with copying the data from /dev/da0s1 to /dev/da0s1.eli sequentually. (As in read sector N..M from da0= s1 into memory, and write it to sector N..M of /dev/da0s1.eli, then make N=3DM= +1 and repeat.) But be _very_ careful not to overwrite the last sector of /dev/da0s1, or you will lose the GEOM data that identifies /dev/da0s1.eli, making it unusable. The problem here is that you are probably going to many copy sectors that a= re not used by the original filesystem. (Keep in mind that as soon as you start writing to the start of /dev/da0s1.eli, the _filesystem_ on /dev/da0s1 beco= mes corrupted and useless) And it would be wise to make a backup of the data before trying something l= ike this! Since you are making a backup, why not just run geli(8), newfs(8) the new encrpyted partition and restore the data? I don't think it is much slower, = and it is a _lot_ safer. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --+g7M9IMkV8truYOl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iEYEARECAAYFAk00zhYACgkQEnfvsMMhpyUtoACdFEGmAvO8BxH4qd8MxyWUQKy4 HjAAn2Qd3gDu14rgDUJQ5kRTde3llanG =JQna -----END PGP SIGNATURE----- --+g7M9IMkV8truYOl--