From owner-freebsd-geom@FreeBSD.ORG  Sun Apr  4 18:42:47 2004
Return-Path: <owner-freebsd-geom@FreeBSD.ORG>
Delivered-To: freebsd-geom@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3F61016A4CE
	for <freebsd-geom@freebsd.org>; Sun,  4 Apr 2004 18:42:47 -0700 (PDT)
Received: from afields.ca (afields.ca [216.194.67.132])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C8A6443D5D
	for <freebsd-geom@freebsd.org>; Sun,  4 Apr 2004 18:42:46 -0700 (PDT)
	(envelope-from afields@afields.ca)
Received: from afields.ca (localhost.afields.ca [127.0.0.1])
	by afields.ca (8.12.6/8.12.9) with ESMTP id i351gkSd020841;
	Sun, 4 Apr 2004 21:42:46 -0400 (EDT)
	(envelope-from afields@afields.ca)
Received: (from afields@localhost)
	by afields.ca (8.12.6/8.12.9/Submit) id i351gkt3020840;
	Sun, 4 Apr 2004 21:42:46 -0400 (EDT)
	(envelope-from afields)
Date: Sun, 4 Apr 2004 21:42:46 -0400
From: Allan Fields <bsd@afields.ca>
To: mmarkows@twcny.rr.com
Message-ID: <20040405014246.GN93496@afields.ca>
References: <c3421fc3355c.c3355cc3421f@nyroc.rr.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <c3421fc3355c.c3355cc3421f@nyroc.rr.com>
User-Agent: Mutt/1.4i
cc: freebsd-geom@freebsd.org
Subject: Re: how ro recover encrypted slice
X-BeenThere: freebsd-geom@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Allan Fields <bsd@afields.ca>
List-Id: GEOM-specific discussions and implementations
	<freebsd-geom.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
	<mailto:freebsd-geom-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-geom>
List-Post: <mailto:freebsd-geom@freebsd.org>
List-Help: <mailto:freebsd-geom-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
	<mailto:freebsd-geom-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2004 01:42:47 -0000

On Sun, Apr 04, 2004 at 06:42:33PM -0400, mmarkows@twcny.rr.com wrote:
> Hi,
> 
> I mounted a GEOM-encrypted slice to /home2 and stored all my data there. Two days ago, I decided to update my FreeBSD from 5.2 to 5.2.1. I have done it several times before, so I felt self-assured. I backed up my config files, forgetting unfortunately about /etc/gbde/ad1s2.

>From what you've stated it's clear that:
  a) You used a lock selector file (alternative is to use the first block of device)
  b) You've unlinked your lock file
  c) there has been the possibility you've over-written the blocks containing lock file data
  d) You know your master key still (this is good news)

It's not clear what you did to initialize the device:
  a) filled it with random data (more secure/harder to bf) or not?
  b) what parameters if any you used while initializing GBDE device


(I know this blurb isn't what your interested in hearing at this stage,
but bear with me:)

I would recommend in the future you keep a backup copy of the lock
files and/or write down the provided lock sector addresses and
possibly even store a backup of the master key in a safe location
(if this meets your security requirements).

An encrypted device brings with it risks that must be taken into
account: your first question should be "do I have back-ups?" (Which
could be encrypted for example with a different key or even a
different system.)  If you do, you can simply re-create the device,
then restore from the backups.


Right, so now, what can be done in your current situation?

The best case is that you can still recover the lock file from your
root slice or have a backup somewhere that you've forgotten about.

Otherwise, you'll need to try to find the lock sectors on the
device via brute force..

The gbde architecture is outlined in phk's gbde paper from BSDCon2003: if
you haven't already taken a look at that paper, I would suggest you
do now.  Especially of interest is Section 7.2 about sector mapping.

Basically you'd be searching the disk surface and it won't be
something easy to do.  Depending on how large your disk is, you
need to find the lock sectors from the rest, which could take many
hours or days even with the master key and it may require some
intimate knowledge about the gbde code.

(geom folks: feel free to correct me on anything I've mentioned,
above.)

> During the update procedure my system was messed up to the extent that it seemed reasonable to do a clean install of 5.2.1. I did it without saving /etc/gbde/ad1s2, and without touching the encrypted slice.
> 
> Now, I am in a predicament because I cannot access my files that I need for my work tomorrow. I know that I messed up, but my last backup is 3 weeks old, and essentially it is no good any more.
> 
> Is there any way to recover the data? I have 13 hours to do it.

It's remotely possible you'll be able to get this data back, rushing
definitely wont help you in these types of situations, you'll end up
making more mistakes.  Especially important is to keep the server
down until you have resolved the problem and make a dump of your root
partition or the whole disk in it's current state.  If the server
has to stay up, at least remount your root read-only for now and
hope that you will be able to recover your lock selector file.


> Thank you for your time.
> 
> Maciej.

Best of luck,
--
 Allan Fields                                       _.^.  ,_ ,. ._ .
 Afields Research/AFRSL - http://afields.ca        <,'/-\/- /\'_| /_
 BSDCan: May 2004, Ottawa - http://www.bsdcan.org   `'|'====-=--- -- -
                                                      `---- -- -