Date: Thu, 15 Feb 2024 17:52:04 +0000 From: Damjan Jovanovic <damjan.jov@gmail.com> To: freebsd-fs@freebsd.org Subject: Re: GELI zfs encryption removal Message-ID: <CAJm2B-=7G27BO_%2B82p29CXDskVAYWgP2VvCQ4=tp8h09yUnsSg@mail.gmail.com> In-Reply-To: <Zc1INFxLOx-MQ3e4@int21h> References: <Zc1INFxLOx-MQ3e4@int21h>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000bc0cf306116f4907 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Feb 14, 2024 at 11:09=E2=80=AFPM void <void@f-m.fm> wrote: > Hi, > > I'd like to remove GELI encryption. It was installed > when the OS was installed; the option to encrypt data was > chosen when auto-zfs was selected. > > At the moment, when it reboots, it prompts for the GELI > passphrase, which I have to enter from the console[1], and it > then boots normally. [1] is a nuisance to access, so I'd like to > (safely) remove it. Is this possible, without having to transfer > all the data out, reformat, then transfer it all back in again? > > Hi It should be possible in theory, but some development would be needed before you could do it in practice. On Linux there is the FIBMAP ioctl, which can tell the caller the offset on the filesystem's block device for a given file block (or some special value if the block is sparse). There are tools like convertfs and fstransform [1], which can reformat the block device to a different filesystem in-place. They start by (1) creating a sparse file as large as the block device, (2) loop-mounting and formatting that sparse file with the new filesystem, (3) moving all the files from the underlying filesystem into this new filesystem. At that point, the old filesystem has a single large file, containing the new filesystem and all the files. Every block in that file is then scanned with the FIBMAP ioctl to discover where on the block device it lies. Finally, the blocks are moved around, so each is in the right place for the block device to contain the new filesystem. Now if FreeBSD has a similar ioctl (when last I checked it didn't), a similar process could be used to permanently decrypt a GELI block device. The block rearrangement step at the end would need to read blocks from GELI, but write them to the GEOM provider under GELI. Also GELI uses cipher block chaining, which means blocks relate to some of their adjacent blocks, and cannot be overwritten individually without corrupting the others, so such a tool would have to move blocks around very carefully. [1] https://sourceforge.net/projects/fstransform --000000000000bc0cf306116f4907 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Wed, Feb 14, 2024 at 11:09=E2=80= =AFPM void <<a href=3D"mailto:void@f-m.fm">void@f-m.fm</a>> wrote:<br= ></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;= border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br> <br> I'd like to remove GELI encryption. It was installed<br> when the OS was installed; the option to encrypt data was<br> chosen when auto-zfs was selected.<br> <br> At the moment, when it reboots, it prompts for the GELI<br> passphrase, which I have to enter from the console[1], and it<br> then boots normally. [1] is a nuisance to access, so I'd like to <br> (safely) remove it. Is this possible, without having to transfer <br> all the data out, reformat, then transfer it all back in again?<br> <br></blockquote><div><br></div><div>Hi</div><div><br></div><div>It should = be possible in theory, but some development would be needed before you coul= d do it in practice.</div><div><br></div><div>On Linux there is the FIBMAP = ioctl, which can tell the caller the offset on the filesystem's block d= evice for a given file block (or some special value if the block is sparse)= . There are tools like convertfs and fstransform [1], which can reformat th= e block device to a different filesystem in-place. They start by (1) creati= ng a sparse file as large as the block device, (2) loop-mounting and format= ting that sparse file with the new filesystem, (3) moving all the files fro= m the underlying filesystem into this new filesystem. At that point, the ol= d filesystem has a single large file, containing the new filesystem and all= the files. Every block in that file is then scanned with the FIBMAP ioctl = to discover where on the block device it lies. Finally, the blocks are move= d around, so each is in the right place for the block device to contain the= new filesystem.</div><div><br></div><div>Now if FreeBSD has a similar ioct= l (when last I checked it didn't), a similar process could be used to p= ermanently decrypt a GELI block device. The block rearrangement step at the= end would need to read blocks from GELI, but write them to the GEOM provid= er under GELI. Also GELI uses cipher block chaining, which means blocks rel= ate to some of their adjacent blocks, and cannot be overwritten individuall= y without corrupting the others, so such a tool would have to move blocks a= round very carefully.<br></div><br><div>[1] <a href=3D"https://sourceforge.= net/projects/fstransform">https://sourceforge.net/projects/fstransform</a><= /div><div><br></div></div></div> --000000000000bc0cf306116f4907--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJm2B-=7G27BO_%2B82p29CXDskVAYWgP2VvCQ4=tp8h09yUnsSg>