Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 5 Mar 2012 10:37:12 -0500
From:      Robert Simmons <rsimmons0@gmail.com>
To:        freebsd-geom@freebsd.org
Subject:   Re: geli metadata backup
Message-ID:  <CA%2BQLa9DYXyqrgG=SXfZWqNKx1DTv0HGBD3rickJb=6Qz2pRM0Q@mail.gmail.com>
In-Reply-To: <20120305125231.275bfb23@gumby.homeunix.com>
References:  <CA%2BQLa9Ax0hbSexKWAj-iRGD1GeRQCgWiA8R6aMqhWrWeOhMb6Q@mail.gmail.com> <20120305125231.275bfb23@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Mar 5, 2012 at 7:52 AM, RW <rwmaillists@googlemail.com> wrote:
> On Sat, 3 Mar 2012 17:24:15 -0500
> Robert Simmons wrote:
>
>> What exactly is contained in the metadata backup
>> file /var/backups/_prov_.eli ?
>
> I don't know exactly what's in the metadata, but the most important
> thing is that it contains copies of the master key encrypted =A0with the
> user keys. If the metadata sector on the partition is corrupted then
> you can't access your data.

As far as I can tell, the metadata backup is made when the provider is
created.  It is only updated when the keys/passphrases change or if
the volume size is changed.  It doesn't have a component that is
updated constantly, correct?

>
>> Obviously, since I keep /var inside of the encrypted provider, the
>> default location is a bad place for a backup. =A0Where would a good
>> location be to save this metadata using the -B switch for geli init
>> other than the default?
>
> Anywhere you like except inside the volume it backs-up - preferably
> offline. It is also somewhat sensitive. If someone else has the
> metadata and the passphrase/keyfile, then changing or deleting the key
> on disk wont help - you would have to dump the data and create a new
> geli partition.

I gather that the best thing to do would be to write this backup file
to a USB key when the provider is created then store that somewhere
safe with maybe another copy burned to a CD for added safety, correct?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BQLa9DYXyqrgG=SXfZWqNKx1DTv0HGBD3rickJb=6Qz2pRM0Q>