[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-fs
Subject: Re: GELI zfs encryption removal
From: Damjan Jovanovic <damjan.jov () gmail ! com>
Date: 2024-02-15 17:52:04
Message-ID: CAJm2B-=7G27BO_+82p29CXDskVAYWgP2VvCQ4=tp8h09yUnsSg () mail ! gmail ! com
[Download RAW message or body]
On Wed, Feb 14, 2024 at 11:09 PM void <void@f-m.fm> wrote:
> Hi,
>
> I'd like to remove GELI encryption. It was installed
> when the OS was installed; the option to encrypt data was
> chosen when auto-zfs was selected.
>
> At the moment, when it reboots, it prompts for the GELI
> passphrase, which I have to enter from the console[1], and it
> then boots normally. [1] is a nuisance to access, so I'd like to
> (safely) remove it. Is this possible, without having to transfer
> all the data out, reformat, then transfer it all back in again?
>
>
Hi
It should be possible in theory, but some development would be needed
before you could do it in practice.
On Linux there is the FIBMAP ioctl, which can tell the caller the offset on
the filesystem's block device for a given file block (or some special value
if the block is sparse). There are tools like convertfs and fstransform
[1], which can reformat the block device to a different filesystem
in-place. They start by (1) creating a sparse file as large as the block
device, (2) loop-mounting and formatting that sparse file with the new
filesystem, (3) moving all the files from the underlying filesystem into
this new filesystem. At that point, the old filesystem has a single large
file, containing the new filesystem and all the files. Every block in that
file is then scanned with the FIBMAP ioctl to discover where on the block
device it lies. Finally, the blocks are moved around, so each is in the
right place for the block device to contain the new filesystem.
Now if FreeBSD has a similar ioctl (when last I checked it didn't), a
similar process could be used to permanently decrypt a GELI block device.
The block rearrangement step at the end would need to read blocks from
GELI, but write them to the GEOM provider under GELI. Also GELI uses cipher
block chaining, which means blocks relate to some of their adjacent blocks,
and cannot be overwritten individually without corrupting the others, so
such a tool would have to move blocks around very carefully.
[1] https://sourceforge.net/projects/fstransform
[Attachment #3 (text/html)]
<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Wed, Feb 14, 2024 at 11:09 PM void <<a \
href="mailto:void@f-m.fm">void@f-m.fm</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Hi,<br> <br>
I'd like to remove GELI encryption. It was installed<br>
when the OS was installed; the option to encrypt data was<br>
chosen when auto-zfs was selected.<br>
<br>
At the moment, when it reboots, it prompts for the GELI<br>
passphrase, which I have to enter from the console[1], and it<br>
then boots normally. [1] is a nuisance to access, so I'd like to <br>
(safely) remove it. Is this possible, without having to transfer <br>
all the data out, reformat, then transfer it all back in again?<br>
<br></blockquote><div><br></div><div>Hi</div><div><br></div><div>It should be \
possible in theory, but some development would be needed before you could do it in \
practice.</div><div><br></div><div>On Linux there is the FIBMAP ioctl, which can tell \
the caller the offset on the filesystem's block device for a given file block (or \
some special value if the block is sparse) There are tools like convertfs and \
fstransform [1], which can reformat the block device to a different filesystem \
in-place. They start by (1) creating a sparse file as large as the block device, (2) \
loop-mounting and formatting that sparse file with the new filesystem, (3) moving all \
the files from the underlying filesystem into this new filesystem. At that point, the \
old filesystem has a single large file, containing the new filesystem and all the \
files. Every block in that file is then scanned with the FIBMAP ioctl to discover \
where on the block device it lies. Finally, the blocks are moved around, so each is \
in the right place for the block device to contain the new \
filesystem.</div><div><br></div><div>Now if FreeBSD has a similar ioctl (when last I \
checked it didn't), a similar process could be used to permanently decrypt a GELI \
block device. The block rearrangement step at the end would need to read blocks from \
GELI, but write them to the GEOM provider under GELI. Also GELI uses cipher block \
chaining, which means blocks relate to some of their adjacent blocks, and cannot be \
overwritten individually without corrupting the others, so such a tool would have to \
move blocks around very carefully.<br></div><br><div>[1] <a \
href="https://sourceforge.net/projects/fstransform">https://sourceforge.net/projects/fstransform</a></div><div><br></div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic