Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Sep 2020 22:55:11 -0700
From:      David Christensen <>
Subject:   Re: Create new geli file system using existing key
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 2020-09-20 12:44, Kevin Oberman wrote:
> After thinking about this a bit longer, it's not really hard to do what I
> need to do using the resize command. More significantly, I really don't
> need to do this.
> Quick explanation of why this would be "helpful". I backup using rsync to a
> USB disk. I simply attach and mount the USB partition and fire up the
> synchronization (with a number of options and exceptions). It's convenient
> to have a single key file on thumb drive (geli attach -d
> -k/media/keys/FILENAME) with that command as an alias so I just type
> "gattach /dev/gpt/PARTITION". Hey, I'm lazy. A keystroke saved is a
> keystroke earned!
> I plan to change the alias to a very short script to pick the correct key
> for the operating and backup partitions. What I type won't change.

So, your backup media is USB hard disk drives, each drive has a GELI 
provider (containing a filesystem), the GELI keyfile is on a USB flash 
drive, and you have a script "gattach" that attaches the backup disk 
GELI providers using the keyfile (?).

I do not believe you need (or want) to have identical GELI metadata on 
the USB hard disk drives.  I believe you just need to specify the same 
keyfile when you create each GELI provider.

Also, I also do not believe you need to resize.  When you provision a 
device as backup media, partition it to use all or most of the available 
space, create a GELI provider using the keyfile on the USB flash drive 
and a passphrase you have memorized, attach the GELI provider, and 
create a filesystem.  Done this way, connecting multiple backup drives, 
attaching multiple backup GELI containers, and mounting multiple backup 
filesystems at the same time should not be a problem.

I presume you have (encrypted) backups of the keyfile (!).

Alternatively, GELI has two "slots" and you can put a (strong) 
passphrase alone into the second slot.  That way, if you lose everything 
except one backup drive and the second passphrase, you can still recover.


Want to link to this message? Use this URL: <>