From owner-freebsd-questions@FreeBSD.ORG Wed Apr 22 05:47:35 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE980106566C for ; Wed, 22 Apr 2009 05:47:35 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr15.xs4all.nl (smtp-vbr15.xs4all.nl [194.109.24.35]) by mx1.freebsd.org (Postfix) with ESMTP id 7B2DB8FC0A for ; Wed, 22 Apr 2009 05:47:35 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr15.xs4all.nl (8.13.8/8.13.8) with ESMTP id n3M5kXjq061777; Wed, 22 Apr 2009 07:46:33 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id E3902B85D; Wed, 22 Apr 2009 07:46:32 +0200 (CEST) Date: Wed, 22 Apr 2009 07:46:32 +0200 From: Roland Smith To: Bernt Hansson Message-ID: <20090422054632.GA17060@slackbox.xs4all.nl> References: <49ECCF4E.3060104@bah.homeip.net> <87zlebc7fx.fsf@kobe.laptop> <49EDBAB6.1020201@bah.homeip.net> <20090421084129.50e45609.wmoran@potentialtech.com> <49EE67E3.5050201@bah.homeip.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline In-Reply-To: <49EE67E3.5050201@bah.homeip.net> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.19 (2009-01-05) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-questions@freebsd.org Subject: Re: Encrypted slice with geli X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Apr 2009 05:47:36 -0000 --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 22, 2009 at 02:42:11AM +0200, Bernt Hansson wrote: > Bill Moran said the following on 2009-04-21 14:41: > > In response to Bernt Hansson : > >=20 > >> Giorgos Keramidas said the following on 2009-04-20 23:59: > >>> On Mon, 20 Apr 2009 21:38:54 +0200, Bernt Hansson wrote: > >>>> Hello list! > >>>> > >>>> I was thinking of makeing a slice encrypted with geli. > >>>> > >>>> My question is: does geli init -s 4096 /dev/ad* erase the data on the > >>>> slice. The handbook didn't say yes or no, and I don't want to try > >>>> without asking. > >>> No,=20 > >> No, what? does it erase the data or not. > >=20 > > It depends on exactly what part of the process you're talking about >=20 >=20 > My question is: does geli init -s 4096 /dev/ad* erase the data on the > slice It only uses the last sector to store the metadata. See geli(8). > > and it depends on exactly what you mean by "erase". >=20 > Destroy it so it's no longer aviable. >=20 > > Geli doesn't explicitly destroy your data at any point in the process. > > However, most HOWTOs I've ready will tell you at some step or another > > to overwrite the partition using dd and /dev/zero, which _does_ > > destroy the data. >=20 > Yes. That much I do know. >=20 > > Also, even if you skip the dd step, geli will alter the partition in > > such a way that typical tools will not see the data. However, if you > > know your stuff, you can bypass normal tools and still read (part of?) > > the data. >=20 > Not good. Hence the advice to overwrite the partition with zeros beforehand. > > If your question is, "I'm switching a partition to using geli, do I > > need to back up my data before doing so?" the answer is YES! >=20 > I do NOT want to backup the data unencrypted. Then get an encrypted backup. E.g. a disk with a USB connection that you can encrypt and use it as back-up. If you want to convert a filesystem in-place, I don't think that's possible with the current tools. But it might be possible to create a tool to do that. That tool should do the following: initialize and attach the geli provider. (daXs1a is the unencrypted partition) (N is the number of sectors on that partition) for k=3D1 to N-1 do read sector k from device daXs1a write sector k to device daXs1a.eli done Note that this is kinda fragile. One botched sector and there will be trouble. It is also not optimized, because it will also encrypt sectors that aren't in use in the original filesystem. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAknurzgACgkQEnfvsMMhpyXtdgCfTRXlJc5DwO75LLOcUPWz0QNE kqQAn2ZCAsia8vWjTxSX0UZGFKmYv+/g =bvLP -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0--