I'm currently - well, for the past 3 weeks or so - in the process of recovering from a serious network intrusion at my home and am changing up most of my systems. Also, if oddities have shown up from my account then my account was compromised - just like every other account that I use, please private message me about that. Sadly I used to use a variation on the same password for every account and some have been leaked making it extremely easy for these hackers to compromise everything, included but not limited to deleting a dead friend's last facebook posts and several of my mails.
Anyway, right now I'm in the process of beefing up my internal security, which was also compromised. Each and every system was compromised because they managed to get a hold of my root password and combined with physical access, well, you know the drill. No way to stop that the way my systems were configured, i.e. assuming that the physical side of things would be safe.
So I use GELI* to encrypt partitions, asking for a passphrase at boot. I've been doing this for about a year on a laptop with a single NVME, but have now done the same on other systems. On systems with a few hard drives or more I used to create ZFS pools referencing GPT labels, but now that I switched to encrypted partitions I no longer do this because GELI and glabel would - as far as I know - write to the same sectors.
I decided to use the
At boot, the loader/GELI picks up the devices that should be decrypted and asks for a passphrase, but the devices picked up are the "raw" devices, e.g. /dev/ada0p1 etc. Once GELI has the right passphrase, the DISKID a.o. labels disappear. So, from that point on there is no more /dev/diskid/DISK-SNXYZ which I could use to import my zpools from.
For the record, these labels do exist after running
I can see a few options, I've been searching for them but might have searched for the wrong terminology:
1. force GELI somehow to use /dev/diskid/DISK-SNXYZ references
2. force GELI/GEOM to NOT hide the labels after attaching the encrypted device; hoping that the labels will appear encrypted as well
3. any other option that could help me reach my goal
If anyone knows of a way to help me reach my goal, please chime in. It's ok if this thread blows up with countless solutions, if I can find one suitable one it's perfectly worth it. Try not to heckle me though, I'm quite well aware of the risks I've taken and that I should have been much more paranoid about who I consort with
Thank you all!
* If you're wondering about why I use GELI instead of ZFS encryption, I prefer a FreeBSD-specific solution. Without having verified this statement, I'm assuming that these Kali Linux thumbdrive "hackers" will have a bad day decrypting my drives and need to resort to a system they know much less about. Let's just call it evening the playing fields, or much rather, tipping the favor my side.
Anyway, right now I'm in the process of beefing up my internal security, which was also compromised. Each and every system was compromised because they managed to get a hold of my root password and combined with physical access, well, you know the drill. No way to stop that the way my systems were configured, i.e. assuming that the physical side of things would be safe.
So I use GELI* to encrypt partitions, asking for a passphrase at boot. I've been doing this for about a year on a laptop with a single NVME, but have now done the same on other systems. On systems with a few hard drives or more I used to create ZFS pools referencing GPT labels, but now that I switched to encrypted partitions I no longer do this because GELI and glabel would - as far as I know - write to the same sectors.
I decided to use the
/dev/diskid/DISK-SNXYZ...
references (from GEOM_LABEL in the kernel, kern.geom.label.disk_ident.enable=1 by default)., That's proven challenging.At boot, the loader/GELI picks up the devices that should be decrypted and asks for a passphrase, but the devices picked up are the "raw" devices, e.g. /dev/ada0p1 etc. Once GELI has the right passphrase, the DISKID a.o. labels disappear. So, from that point on there is no more /dev/diskid/DISK-SNXYZ which I could use to import my zpools from.
For the record, these labels do exist after running
geli detach ...
, so they're clearly not disabled.I can see a few options, I've been searching for them but might have searched for the wrong terminology:
1. force GELI somehow to use /dev/diskid/DISK-SNXYZ references
2. force GELI/GEOM to NOT hide the labels after attaching the encrypted device; hoping that the labels will appear encrypted as well
3. any other option that could help me reach my goal
If anyone knows of a way to help me reach my goal, please chime in. It's ok if this thread blows up with countless solutions, if I can find one suitable one it's perfectly worth it. Try not to heckle me though, I'm quite well aware of the risks I've taken and that I should have been much more paranoid about who I consort with
Thank you all!
* If you're wondering about why I use GELI instead of ZFS encryption, I prefer a FreeBSD-specific solution. Without having verified this statement, I'm assuming that these Kali Linux thumbdrive "hackers" will have a bad day decrypting my drives and need to resort to a system they know much less about. Let's just call it evening the playing fields, or much rather, tipping the favor my side.