Other encrypt partition with geli post-install.

[FreeThis]

Hello all,

I recently made the switch from linux to freeBSD. My installation (on a laptop) satisfies me so far but I realized I left out encryption in the installation process.

I read about GELI(8)() but I am not willing to re-install from scratch. My threat model is moderate and I was thinking to encrypt only the home partition (I do not care about an eventual thief at a coffee shop dumping the ram)

my relevant partitions are as follow :

/dev/ada0p2                                   9.4G    506M    8.2G     6%    /
/dev/ada0p1                                   260M    1.3M    259M     1%    /boot/efi
/dev/ada0p5                                   172G     81G     77G    51%    /home
/dev/ada0p3                                    29G     13G     13G    50%    /usr
/dev/ada0p4                                    19G    3.0G     15G    17%    /var
/dev/mmcsd0p1                                 225G    8.0K    207G     0%    /mnt/sdcard

my plan is :

1 - boot in single user mode

2 - mount the /home partition and the sdcard

mount -o rw /dev/ada0p5 /home
mount -o rw /dev/mmcsd0p1 /mnt/sdcard

3 - copy the data from home to the sdcard

cp -rvp /home/* /home/sdcard/

4 - umount /home

umount /home

5 - delete the home partition

gpart delete -i 5 /dev/adao

5 - recreate the home partiton

gpart add -t freebsd-ufs -i 5 /dev/ada0

6 - initialize geli provider

geli init -g -b  -l 256 -s 4096 ada0p5

7 - attach the geli provider

geli  attach ad0p5

8 - create a new file system on the geli device

newfs /dev/ad0p5.eli

9 - mount the encrypted home

mount -o rw /dev/ad0p5.eli /home

10 - copy back the data from the sdcard to the new encrypted home partition

cp -rvp /home/sdcard/* /home/

11 - add the options so the /home will be mounted at boot

vim /boot/loader.conf
geom_eli_load="YES"

vim /etc/fstab (replace the old /home line with)
/dev/ada0p5.eli     /home           ufs     rw      2       2

So my questions are :

Anything I may have overlooked ?
Any better way to do this?
Worth repeating the process for /usr and /var (just thought about a few data I have in there... postgres...) ?

 

[SirDice]

Step 5, why delete the partition and recreate it? There's no need for it. Or are you thinking that might destroy the data that's in that partition? That's not happening.

 

[FreeThis]

Step 5, why delete the partition and recreate it? There's no need for it. Or are you thinking that might destroy the data that's in that partition? That's not happening.

mostly because in the various tutorials, the ufs filesystem seems to be created ON the encrypted device (.eli) this partition already have a file system directly on it, I don't think it is useful to keep it?

 

[FreeThis]

Step 5, why delete the partition and recreate it? There's no need for it. Or are you thinking that might destroy the data that's in that partition? That's not happening.

no, the data would stay on the disk, but the partition layout that include the filesystem would be gone no?

 

[SirDice]

Deleting, then recreating the exact same partition (with the same start and end block) isn't going to destroy the data, everything will still be there.

but the partition layout that include the filesystem would be gone no?

Filesystem data has nothing to do with the partition information. So, no. You can delete, then recreate, and everything would still mount perfectly fine. All you did was delete the partition information, not the filesystem.

 

[FreeThis]

right, so shred /dev/ad0p5 could be used instead of step 4 and 5

 

[SirDice]

so shred /dev/ad0p5 could be used instead of step 4 and 5

Yes, something like that. Just overwrite the entire partition with random data. That destroys whatever was in it.

 

[cracauer@]

You should use dump and restore for the copying. I am not sure how complete cp is.

 

[covacat]

what if you dd from adaXpN to adaXpN.eli (with fs not mounted)
if the fs does not touch the last block of the partition should work

 

[FreeThis]

Happy to report the operation was a success. I should have listen to cracauer@ , simple cp broke a few symlinks (and python virtual envs), will definitely consider dump and restore if I proceed with /var and /usr

P.S : I used the shell from the installer usb key instead of single user mode.

P.P.S : I used dd if=/dev/zero of=/dev/ada0p5 to destroy the beginning of the previous fs

P.P.P.S moving /var and /usr is probably a bad idea in single user mode (no access to a bunch of needed programs) ;-)

 

[FreeThis]

what if you dd from adaXpN to adaXpN.eli (with fs not mounted)
if the fs does not touch the last block of the partition should work

probably a good idea, but my superficial understanding of eli made me play it safe.

how would that have worked actually?

it would copy all the blocks from the ufs filesystem of the ada05p partition to the ufs filesystem created on top of the eli provider in the same partition??? (the ufs filesystem was already the size of the partition...)

 

[covacat]

yes, will sequentially replace blocks with their encrypted version
was more like a nerdy method

if the fs uses its last containing partition block it most certainly result in data loss (geli stores metadata there and dev/blockdev.eli is 1 block smaller and dev/blockdev
a power loss or a system crash during the dd will get you in a shitty situation (you need to recover the position where it stopped and it does not look straightforward)
dd-ing a mostly empty large fs will just add unnecessary wear to the ssd (if applicable)
dump / restore seems the best method

 

[bob2112]

Yes, something like that. Just overwrite the entire partition with random data. That destroys whatever was in it.

On an SSD, just trim the new filesystem with fsck_ffs -E