# Can't read old UFS1 superblock using GELI (Blowfish-CBC)



## AlexanderB (Jul 24, 2016)

Hello there,

just started to explore encryption in FreeBSD and got some questions.
Trying to add encrypted partition on FreeBSD10.3 GELI/Blowfish-CBC. AES on / and /swap works fine, but I can't add an additional encrypted partition using Blowfish. Here is the way I did it:

```
# mount -o exec /dev/da2p1 /mnt/storekey
# gpart create -s gpt da1
da1 created
# gpart add -t freebsd-ufs -l usrdata da1
da1p1 added
# newfs gpt/usrdata
gpt/usrdata: 102400.0MB (209715128 sectors) block size 32768, fragment size 4096
        using 164 cylinder groups of 626.09MB, 20035 blks, 80256 inodes.
super-block backups (for fsck_ffs -b #) at:
192, 1282432, 2564672, 3846912, 5129152, 6411392, 7693632, 8975872, 10258112, 11540352, 12822592, 14104832,
15387072, 16669312, 17951552, 19233792, 20516032, 21798272, 23080512, 24362752, 25644992, 26927232,
28209472, 29491712, 30773952, 32056192, 33338432, 34620672, 35902912, 37185152, 38467392, 39749632,
41031872, 42314112, 43596352, 44878592, 46160832, 47443072, 48725312, 50007552, 51289792, 52572032,
53854272, 55136512, 56418752, 57700992, 58983232, 60265472, 61547712, 62829952, 64112192, 65394432,
66676672, 67958912, 69241152, 70523392, 71805632, 73087872, 74370112, 75652352, 76934592, 78216832,
79499072, 80781312, 82063552, 83345792, 84628032, 85910272, 87192512, 88474752, 89756992, 91039232,
92321472, 93603712, 94885952, 96168192, 97450432, 98732672, 100014912, 101297152, 102579392, 103861632,
105143872, 106426112, 107708352, 108990592, 110272832, 111555072, 112837312, 114119552, 115401792,
116684032, 117966272, 119248512, 120530752, 121812992, 123095232, 124377472, 125659712, 126941952,
128224192, 129506432, 130788672, 132070912, 133353152, 134635392, 135917632, 137199872, 138482112,
139764352, 141046592, 142328832, 143611072, 144893312, 146175552, 147457792, 148740032, 150022272,
151304512, 152586752, 153868992, 155151232, 156433472, 157715712, 158997952, 160280192, 161562432,
162844672, 164126912, 165409152, 166691392, 167973632, 169255872, 170538112, 171820352, 173102592,
174384832, 175667072, 176949312, 178231552, 179513792, 180796032, 182078272, 183360512, 184642752,
185924992, 187207232, 188489472, 189771712, 191053952, 192336192, 193618432, 194900672, 196182912,
197465152, 198747392, 200029632, 201311872, 202594112, 203876352, 205158592, 206440832, 207723072, 209005312
# dd if=/dev/random of=/mnt/storekey/da0p1b.k bs=64 count=1
1+0 records in
1+0 records out
64 bytes transferred in 0.000032 secs (1988411 bytes/sec)
# geli init -s 4096 -K /mnt/storekey/da0p1b.k -e Blowfish-CBC -a hmac/sha256 -l 448 gpt/usrdata
Enter new passphrase:
Reenter new passphrase:

Metadata backup can be found in /var/backups/gpt_usrdata.eli and
can be restored with the following command:

        # geli restore /var/backups/gpt_usrdata.eli gpt/usrdata
# geli attach -k /mnt/storekey/da0p1b.k gpt/usrdata
Enter passphrase:
# newfs gpt/usrdata.eli
gpt/usrdata.eli: 91022.2MB (186413448 sectors) block size 32768, fragment size 4096
        using 146 cylinder groups of 626.09MB, 20035 blks, 80256 inodes.
newfs: can't read old UFS1 superblock: read error from block device: Invalid argument
```
Ok, google said I need to destroy data with random output:

```
# dd if=/dev/random of=gpt/usrdata.eli bs=8m
dd: gpt/usrdata.eli: No such file or directory
```
Ok, I wanna check:

```
# geli list
Geom name: da0p4.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: software
Version: 7
UsedKey: 0
Flags: BOOT
KeysAllocated: 50
KeysTotal: 50
Providers:
1. Name: da0p4.eli
   Mediasize: 26843378688 (25G)
   Sectorsize: 512
   Mode: r1w1e1
Consumers:
1. Name: da0p4
   Mediasize: 26843379200 (25G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 1073891328
   Mode: r1w1e1

Geom name: gpt/swap.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: software
Version: 7
Flags: ONETIME, W-DETACH, W-OPEN
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: gpt/swap.eli
   Mediasize: 4294967296 (4.0G)
   Sectorsize: 4096
   Mode: r1w1e0
Consumers:
1. Name: gpt/swap
   Mediasize: 4294967296 (4.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 1073891328
   Mode: r1w1e1

Geom name: gpt/usrdata.eli
State: ACTIVE
EncryptionAlgorithm: Blowfish-CBC
KeyLength: 448
AuthenticationAlgorithm: HMAC/SHA256
Crypto: software
Version: 7
UsedKey: 0
Flags: AUTH
KeysAllocated: 200
KeysTotal: 200
Providers:
1. Name: gpt/usrdata.eli
   Mediasize: 95443685376 (89G)
   Sectorsize: 4096
   Mode: r0w0e0
Consumers:
1. Name: gpt/usrdata
   Mediasize: 107374148096 (100G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 17408
   Mode: r1w1e1
# ls /dev
acpi            da0p2           geom.ctl        mem             sndstat         ttyv9
apm             da0p3           gpt             midistat        stderr          ttyva
apmctl          da0p4           gptid           mpt0            stdin           ttyvb
atkbd0          da0p4.eli       hpet0           nfslock         stdout          ttyvc
audit           da1             io              null            sysmouse        ttyvd
bpf             da1p1           iso9660         pass0           ttyv0           ttyve
bpf0            da2             kbd0            pass1           ttyv1           ttyvf
bpsm0           da2p1           kbd1            pass2           ttyv2           ufssuspend
cd0             devctl          kbdmux0         pass3           ttyv3           urandom
console         devctl2         klog            pci             ttyv4           usbctl
consolectl      devstat         kmem            psm0            ttyv5           xpt0
ctty            fd              led             pts             ttyv6           zero
da0             fd0             log             random          ttyv7
da0p1           fido            mdctl           reroot          ttyv8
```
What's wrong? Thanks for the help.


----------



## Murph (Jul 24, 2016)

AlexanderB said:


> Ok, google said I need to destroy data with random output:
> 
> ```
> # dd if=/dev/random of=gpt/usrdata.eli bs=8m
> ...



dd(1) will not automatically search in /dev when given relative path names; they will always be relative to your current working directory.  Try `dd if=/dev/random of=/dev/gpt/usrdata.eli bs=1m`.

That was just the obvious problem that I spotted, there might be something else going on as well.

See also geli(8) and https://www.freebsd.org/doc/handbook/disks-encrypting.html for more info and examples.


----------



## SirDice (Jul 25, 2016)

Same for this one:

```
# newfs gpt/usrdata.eli
```
It's `newfs /dev/gpt/usrdata.eli`.


----------



## AlexanderB (Aug 2, 2016)

It works. Thanks a lot for the help!

I don't want to start new topic. So...

Everything works fine when I use additional partition, but when I tried to install FreeBSD on encrypted partition with Blowifish:

```
# dd if=/dev/random of=/media/file.key bs=64 count=1
# geli init -s 4096 -K /media/file.key -e Blowfish-CBC -a hmac/sha512 -l 448 gpt/partitionname
# geli attach -k /media/file.key gpt/partitionname
```
I got these errors:

```
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 8192 bytes of data at offset 0.
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 8192 bytes of data at offset 262144.
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 8192 bytes of data at offset 65536.
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 8192 bytes of data at offset 8192.
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 8192 bytes of data at offset 0.
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 8192 bytes of data at offset 262144.
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 4096 bytes of data at offset 32768.
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 4096 bytes of data at offset 0.
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 4096 bytes of data at offset 8192.
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 4096 bytes of data at offset 65536.
GEOM_ELI: gpt/partitionname.eli: Failed to authenticate 4096 bytes of data at offset 0.
```
I have tried to use hmac/sha256 and hmac/md5... the same result. 'Attach' command only works when I don't use -a key (authentication). What;s wrong again?


----------



## AlexanderB (Aug 3, 2016)

Looks like a geli bug: http://freebsd.1045724.n5.nabble.com/geli-init-for-first-time-td5529951.html


----------



## SirDice (Aug 3, 2016)

You're using two different key files, you initialize with a file named /media/file.key and you're trying to attach using /media/da1p2.k.


----------



## AlexanderB (Aug 4, 2016)

SirDice said:


> You're using two different key files, you initialize with a file named /media/file.key and you're trying to attach using /media/da1p2.k.


Thanks for the answer. No, I just made a mistake when type the example.


----------

