From owner-freebsd-geom@FreeBSD.ORG Mon Mar 5 15:37:13 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B33851065674 for ; Mon, 5 Mar 2012 15:37:13 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 645418FC08 for ; Mon, 5 Mar 2012 15:37:13 +0000 (UTC) Received: by vcmm1 with SMTP id m1so2682780vcm.13 for ; Mon, 05 Mar 2012 07:37:12 -0800 (PST) Received-SPF: pass (google.com: domain of rsimmons0@gmail.com designates 10.52.23.169 as permitted sender) client-ip=10.52.23.169; Authentication-Results: mr.google.com; spf=pass (google.com: domain of rsimmons0@gmail.com designates 10.52.23.169 as permitted sender) smtp.mail=rsimmons0@gmail.com; dkim=pass header.i=rsimmons0@gmail.com Received: from mr.google.com ([10.52.23.169]) by 10.52.23.169 with SMTP id n9mr35733460vdf.15.1330961832889 (num_hops = 1); Mon, 05 Mar 2012 07:37:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=hKEDobow7C3Kk7QvX2k7s0S6QJe+5QuD+Pe9hVPdXSo=; b=V/AWJUOoQRgjfnRXG88ThMZR7LXWHO9ySmELS5OxXTBUJeJIWYAaNeswJKE7Jp5w4V 8BtESEdniqfUmOwWEQHdFCIbXCXDrNVY/EcYW7JCV8wkY5Xq4WelIHezOQUYsz4zPBHC Dt2JX9pyL6WImJWdByTRSKmnCUKiSzzuWT+5EUIFTnR81oIPMI6aw8pZ1QCLz3wg3V9z kFYdwHKR4tCLU9K1ISbkqZ1SmmFyc2keZZvidGg9fSn+yZSB2h/uAsek4aPtraQwBOqX 6SdcbOmlLMmi2Xbl8wOTPtuT1fJL9Eywg3l8VOIJWNziNo0Lt0/N/Ykg9P61gGo7aO+e oe+w== MIME-Version: 1.0 Received: by 10.52.23.169 with SMTP id n9mr30570126vdf.15.1330961832846; Mon, 05 Mar 2012 07:37:12 -0800 (PST) Received: by 10.52.65.114 with HTTP; Mon, 5 Mar 2012 07:37:12 -0800 (PST) In-Reply-To: <20120305125231.275bfb23@gumby.homeunix.com> References: <20120305125231.275bfb23@gumby.homeunix.com> Date: Mon, 5 Mar 2012 10:37:12 -0500 Message-ID: From: Robert Simmons To: freebsd-geom@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: geli metadata backup X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2012 15:37:13 -0000 On Mon, Mar 5, 2012 at 7:52 AM, RW wrote: > On Sat, 3 Mar 2012 17:24:15 -0500 > Robert Simmons wrote: > >> What exactly is contained in the metadata backup >> file /var/backups/_prov_.eli ? > > I don't know exactly what's in the metadata, but the most important > thing is that it contains copies of the master key encrypted =A0with the > user keys. If the metadata sector on the partition is corrupted then > you can't access your data. As far as I can tell, the metadata backup is made when the provider is created. It is only updated when the keys/passphrases change or if the volume size is changed. It doesn't have a component that is updated constantly, correct? > >> Obviously, since I keep /var inside of the encrypted provider, the >> default location is a bad place for a backup. =A0Where would a good >> location be to save this metadata using the -B switch for geli init >> other than the default? > > Anywhere you like except inside the volume it backs-up - preferably > offline. It is also somewhat sensitive. If someone else has the > metadata and the passphrase/keyfile, then changing or deleting the key > on disk wont help - you would have to dump the data and create a new > geli partition. I gather that the best thing to do would be to write this backup file to a USB key when the provider is created then store that somewhere safe with maybe another copy burned to a CD for added safety, correct?