Other geli backup versus cryptsetup luksHeaderBackup

giorgiob

Member

Thanks: 1
Messages: 38

#1
I have been using LUKS under Linux for a while and now I am starting to learn geli to encrypt my disks with FreeBSD. As recommended e.g. in this article in Section Backup and Restore a LUKS Header, I always store a backup of a LUKS volume header in a file in case the header of a LUKS volume gets damaged.

I was looking for a similar functionality in geli and I found the command geli backup in the documentation. The man page says:
backup Backup metadata from the given provider to the given file.
So my question is: does the geli volume metadata play the same role as the LUKS volume header?
If so, I would make a backup of the metadata for each geli volume and restore it in case part of the volume gets overwritten.
Of course, I might not be able to access all the data if any data sectors in the volume have been overwritten as well, but I should at least be able to attach the volume / provider.

Is this correct?
 

ShelLuser

Son of Beastie

Thanks: 1,569
Messages: 3,411

#2
So my question is: does the geli volume metadata play the same role as the LUKS volume header?
Why assume that we know about LUKS? It might have been easier to just share what kind of functionality you're looking for or are expecting from all this.

Alas; geli(8) should provide you with all the info you need. backup does just that: making a backup of your keys:
Code:
   Master Key
     Upon init, the geli utility generates a random Master Key for the
     provider.  The Master Key never changes during the lifetime of the
     provider.  Each copy of the provider metadata, active or backed up to a
     file, can store up to two, independently-encrypted copies of the Master
     Key.
And this backup can be used to restore those keys in case something goes wrong.
 
OP
OP
G

giorgiob

Member

Thanks: 1
Messages: 38

#3
Why assume that we know about LUKS? It might have been easier to just share what kind of functionality you're looking for or are expecting from all this.
I did not assume that all FreeBSD users know LUKS but I hoped that there are enough FreeBSD users on this forum that are familiar enough with LUKS to be able to compare LUKS with geli.

Anyway, as far as I have understood, regardless of the actual technology, an encrypted volume has some metadata (keys, size information, and so on) that allows to unlock the volume, and then data sectors in which the encrypted data is stored. If the metadata gets corrupted (overwritten or unreadable because of a bad sector), you cannot access the content of the whole volume any more. It is not the same as for a data block: if a data block gets corrupted you only lose the data contained in that block.

I have assumed (maybe wrongly) that geli also follows a similar paradigm and that it is possible to back up all the metadata (keys and whatever information is needed to unlock the volume, apart from the passwords).
Alas; geli(8) should provide you with all the info you need. backup does just that: making a backup of your keys:
Code:
   Master Key
     Upon init, the geli utility generates a random Master Key for the
     provider.  The Master Key never changes during the lifetime of the
     provider.  Each copy of the provider metadata, active or backed up to a
     file, can store up to two, independently-encrypted copies of the Master
     Key.
And this backup can be used to restore those keys in case something goes wrong.
So, to formulate my question more precisely: are these keys (together with the passphrase and / or key file, which are stored separately) all I need to unlock the volume / provider? Or are there some other metadata that are stored on the encrypted volume without which I will not be able to access the encrypted data?

Sorry if this is a naive question: I am a beginner with geli.
 
Top