From owner-freebsd-questions@freebsd.org  Mon Sep 21 05:55:20 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id CF3FE3E692E
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Mon, 21 Sep 2020 05:55:20 +0000 (UTC)
 (envelope-from dpchrist@holgerdanske.com)
Received: from holgerdanske.com (holgerdanske.com
 [IPv6:2001:470:0:19b::b869:801b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest
 SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "www.holgerdanske.com",
 Issuer "www.holgerdanske.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BvtvW6bd8z3WRJ
 for <freebsd-questions@freebsd.org>; Mon, 21 Sep 2020 05:55:19 +0000 (UTC)
 (envelope-from dpchrist@holgerdanske.com)
Received: from 99.100.19.101 (99-100-19-101.lightspeed.frokca.sbcglobal.net
 [99.100.19.101]) by holgerdanske.com with ESMTPSA
 (TLS_AES_128_GCM_SHA256:TLSv1.3:Kx=any:Au=any:Enc=AESGCM(128):Mac=AEAD)
 (SMTP-AUTH username dpchrist@holgerdanske.com, mechanism PLAIN)
 for <freebsd-questions@freebsd.org>; Sun, 20 Sep 2020 22:55:11 -0700
Subject: Re: Create new geli file system using existing key
To: freebsd-questions@freebsd.org
References: <CAN6yY1uE-gfijR8n8+A0k6ufB=6EYEc6RbgbgpXj+V=80GOHPA@mail.gmail.com>
 <fef7fd7a-2f6c-0d09-e1e7-8bcd1589ed9e@holgerdanske.com>
 <CAN6yY1vShj8DLnSNzD5id3TE1-bjAKCFMO0Fg63JNmWvWBnXRg@mail.gmail.com>
From: David Christensen <dpchrist@holgerdanske.com>
Message-ID: <b484587f-93a3-84da-6e4f-3e564ff9bbfd@holgerdanske.com>
Date: Sun, 20 Sep 2020 22:55:11 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <CAN6yY1vShj8DLnSNzD5id3TE1-bjAKCFMO0Fg63JNmWvWBnXRg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4BvtvW6bd8z3WRJ
X-Spamd-Bar: +++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of dpchrist@holgerdanske.com has no SPF
 policy when checking 2001:470:0:19b::b869:801b)
 smtp.mailfrom=dpchrist@holgerdanske.com
X-Spamd-Result: default: False [3.11 / 15.00]; RCVD_TLS_ALL(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_SPAM_SHORT(0.93)[0.929]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_SPAM_MEDIUM(0.54)[0.543]; ARC_NA(0.00)[];
 NEURAL_SPAM_LONG(0.74)[0.741];
 DMARC_NA(0.00)[holgerdanske.com];
 R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US];
 RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 05:55:20 -0000

On 2020-09-20 12:44, Kevin Oberman wrote:
> After thinking about this a bit longer, it's not really hard to do what I
> need to do using the resize command. More significantly, I really don't
> need to do this.
> 
> Quick explanation of why this would be "helpful". I backup using rsync to a
> USB disk. I simply attach and mount the USB partition and fire up the
> synchronization (with a number of options and exceptions). It's convenient
> to have a single key file on thumb drive (geli attach -d
> -k/media/keys/FILENAME) with that command as an alias so I just type
> "gattach /dev/gpt/PARTITION". Hey, I'm lazy. A keystroke saved is a
> keystroke earned!
> 
> I plan to change the alias to a very short script to pick the correct key
> for the operating and backup partitions. What I type won't change.

So, your backup media is USB hard disk drives, each drive has a GELI 
provider (containing a filesystem), the GELI keyfile is on a USB flash 
drive, and you have a script "gattach" that attaches the backup disk 
GELI providers using the keyfile (?).


I do not believe you need (or want) to have identical GELI metadata on 
the USB hard disk drives.  I believe you just need to specify the same 
keyfile when you create each GELI provider.


Also, I also do not believe you need to resize.  When you provision a 
device as backup media, partition it to use all or most of the available 
space, create a GELI provider using the keyfile on the USB flash drive 
and a passphrase you have memorized, attach the GELI provider, and 
create a filesystem.  Done this way, connecting multiple backup drives, 
attaching multiple backup GELI containers, and mounting multiple backup 
filesystems at the same time should not be a problem.


I presume you have (encrypted) backups of the keyfile (!).


Alternatively, GELI has two "slots" and you can put a (strong) 
passphrase alone into the second slot.  That way, if you lose everything 
except one backup drive and the second passphrase, you can still recover.


David