Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Mar 2007 23:15:50 +0100
From:      Roland Smith <rsmith@xs4all.nl>
To:        RW <fbsd06@mlists.homeunix.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: gbde and geli - differences
Message-ID:  <20070321221550.GB72124@slackbox.xs4all.nl>
In-Reply-To: <20070321183319.72ceab4c@gumby.homeunix.com>
References:  <20070320190305.O29971@chylonia.3miasto.net> <20070320223619.6c18cd08@gumby.homeunix.com> <20070320231504.GB38069@slackbox.xs4all.nl> <20070321001321.5dea258f@gumby.homeunix.com> <20070321070251.GA50637@slackbox.xs4all.nl> <20070321183319.72ceab4c@gumby.homeunix.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--TRYliJ5NKNqkz5bu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Mar 21, 2007 at 06:33:19PM +0000, RW wrote:
> How do you attach the dvd content?
>=20
> # geli attach /dev/cd0
> Cannot read metadata from /dev/cd0: Invalid argument.
>=20
> geli attach -r /dev/cd0
> Cannot read metadata from /dev/cd0: Invalid argument.

I get the same error. Odd. I thought I used that trick before. It
definitely works on the USB drives that I use as primary backup (no
memory disk necessary in that case).

The following is what I currently use to make encrypted backups to DVD, bec=
ause
it requires less interaction;

I bundle appropriate numbers of files and directories up in tarfiles
(bzip2-ed unless it contains photos etc), so that every tarfile is slightly
under DVD size. I've put this in a script, because a lot of my
directories don't grow very fast. Alternatively you can use a tool like
dirsplit (http://freshmeat.net/projects/dirsplit/) to make file catalogs.

Next I encrypt every tarfile with ccrypt(1) from ports, because it uses
the Rijndael (aes) cipher. You can use another encryption program if you
like, like enc(1) from OpenSSl with the Blowfish cipher, or gnupg with a
symmetric cipher like aes256 or twofish or blowfish if you don't want to
keep a separate key. Don't use crypt(1) or bdes(1), they're not
considered safe anymore.

The encypted file is then directly burned (as an image) with growisofs.

To extract the contents I use the following command:

cat /dev/cd0|ccrypt -d|tar xjf -

The file is cat-ed because ccrypt doesn't want to open device files.

This might be overkill, depending on who you're trying to protect the
data from. If you burn the unencrypted tarfile to DVD, the average
windows user wouldn't have a clue how to open it. Of course a 'file -s'
would tell any competent sysadmin that you've burned a tarfile. OTOH, if
you encypt the data and forget the keyphrase, your data is lost.

Roland
--=20
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

--TRYliJ5NKNqkz5bu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.3 (FreeBSD)

iD8DBQFGAa6WEnfvsMMhpyURAp/wAJ4so45pGCHJb2jSkEyy6pOsFkWi3QCfTbuH
dFswOM3cMawuSV1RTPEA7oE=
=pdy9
-----END PGP SIGNATURE-----

--TRYliJ5NKNqkz5bu--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070321221550.GB72124>