Date: Tue, 01 Mar 2005 00:16:41 -0500 From: Roland Dowdeswell <elric@imrryr.org> To: Thomas.Sparrevohn@btinternet.com Cc: tech-security@NetBSD.org Subject: Re: RFC: backporting GEOM to the 4.x branch Message-ID: <20050301051641.B59C33700F@arioch.imrryr.org> In-Reply-To: Your message of "Tue, 01 Mar 2005 00:08:20 GMT." <200503010008.20675.Thomas.Sparrevohn@btinternet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1109635700 seconds since the Beginning of the UNIX epoch Thomas Sparrevohn wrote: > >I could be wrong but I would assume that if it is correctly handled within >softupdates there should be no need for journalling - e.g. If both >transactions are not completed the writes are ignored This does not work. The problem is that in GBDE for sector n which is written, there are two operations: 1. change the key by which sector n is encrypted, and 2. write sector n ecnrypted with the new key. If one of these fails, how could the write be ignored? If one of the two completes but not both, then one is left in the situation of either: 1. trying to decrypt the old sector with the new encryption key, or 2. trying to decrypt the new sector with the old encryption key. Either way, the sector has been lost. Neither the original contents of the sector nor the new contents can be recovered without breaking AES-128. Fsck(8) does not contain this functionality (and it would be rather impressive if it did.) Softupdates does not maintain old copies of sectors which it is writing. Hence the sector is gone forever (or for however long it takes to break AES-128.) There is no [reasonable] possibility of recovery. -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050301051641.B59C33700F>