key

  • Thread starter Deleted member 60479
  • Start date
D

Deleted member 60479

Guest


I lost the encryption key (ada1.key) to my backup. Is it possible to access the backup drive?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,824
Messages: 35,001

The drive itself, sure. But you cannot access the data without the key.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,824
Messages: 35,001

It would defeat the entire purpose of the encryption if you could access the data without a proper key.
 

Elazar

Well-Known Member

Reaction score: 164
Messages: 430

Maybe some brute-force attack.. He didn't say what type of encryption was used. ;D
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,824
Messages: 35,001

Judging by the naming of the key, I'm going to say geli(8). Good luck trying to brute-force that.
 
OP
D

Deleted member 60479

Guest


I have the passphrase. I just don't have the key-file ada1.key
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,824
Messages: 35,001

Is there a key file for the operating system as well, when it is encrypted?
If you used full disk encryption, no. The whole disk is encrypted with that same key.

I have the passphrase. I just don't have the key-file ada1.eli
The password is useless without the key and the key is useless without the password. You need to have both to unlock the encryption.

I once did something similar. Had an encrypted external drive. Reinstalled the machine and forgot to backup the key. So the data on the external drive was lost too. There is no way to recover that key or the password if you lose either one.
 
OP
D

Deleted member 60479

Guest


So, why is my external backup disk encrypted with a key and not my OS?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,824
Messages: 35,001

So, why is my external backup disk encrypted with a key and not my OS?
Oh, wait, I misunderstood the previous remarks. Maybe, just maybe, you can find a backup of your key in /var/backup/.
 
OP
D

Deleted member 60479

Guest


Sometimes encryption hurts you more than it protects you. I just don't get it. Why no key-file for the installed machine.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,824
Messages: 35,001

Sometimes encryption hurts you more than it protects you.
The disk itself could simply die too. But yes, encryption does mean you need to take really good care of your keys. Back them up and store them somewhere safe (not on the disk that requires that key to access it).

Why no key-file for the installed machine.
Why would there be a key file for the installed machine?
 
OP
D

Deleted member 60479

Guest


I'm not smart enough to get it. Why a key-file then for the external backup?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,824
Messages: 35,001

Why a key-file then for the external backup?
Because you configured it that way. You can use a passphrase, a key or both. If you configured it with both a key and a passphrase, you're going to need both to unlock it.

The user keys are made up of an optional combination of random bytes from a file, /root/da2.key, and/or a passphrase.
Procedure 17.4. Encrypting a Partition with geli

Code:
   User Key
     Each stored copy of the Master Key is encrypted with a User Key, which is
     generated by the geli utility from a passphrase and/or a keyfile.  The
     geli utility first reads all parts of the keyfile in the order specified
     on the command line, then reads all parts of the stored passphrase in the
     order specified on the command line.  If no passphrase parts are
     specified, the system prompts the user to enter the passphrase.  The
     passphrase is optionally strengthened by PKCS#5v2.  The User Key is a
     digest computed over the concatenated keyfile and passphrase.

From geli(8), take special note of the last sentence.
 
OP
D

Deleted member 60479

Guest


I get it. So a key file and a passphrase secures your data even more than just a passphrase. For the installed machine you may only use a passphrase. Thanks.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,824
Messages: 35,001

So a key file and a passphrase secures your data even more than just a passphrase.
Yes, exactly. It's a 2-factor authentication, it's something you have (the key) and something you know (the passphrase).
 
OP
D

Deleted member 60479

Guest


Am i able to consistently mount the same encrypted disk in fstab. Geom names jumps around changing from da0 to da1 etc 😁
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,824
Messages: 35,001

Use labels.

 

ralphbsz

Son of Beastie

Reaction score: 1,798
Messages: 2,803

Hey, you're doing better than I am. I have an external backup disk, which is fully encrypted and used for offsite (away from home) safety. I have the passphrase recorded, that's not the problem. The problem is that the whole disk is lost. Usually, it is stored in my office. But I know I took it home before the Covid lockdown, and I have updated it at home once (that's in the log file), and I have not been in my office at all since February. It might be stored in my wife's office ... so I asked her to look absolutely everywhere, and she searched the place and didn't find it. Or it could be at home, and we've spent about 3 hours looking everywhere, and it is nowhere to be found. So I have a key and no disk.

The obvious solution was: find another external portable disk, initialize it, write a new backup on it. All done, except that it is still sitting on the desk at home, waiting to be taken to my wife's office.
 
OP
D

Deleted member 60479

Guest


You have the key but no disk.
I have the disk but no key.
Great.
 
Top