# key



## Deleted member 60479 (Nov 4, 2020)

I lost the encryption key (ada1.key) to my backup. Is it possible to access the backup drive?


----------



## SirDice (Nov 4, 2020)

The drive itself, sure. But you cannot access the data without the key.


----------



## Deleted member 60479 (Nov 4, 2020)

Worst kind of answer.. but thank you.


----------



## SirDice (Nov 4, 2020)

It would defeat the entire purpose of the encryption if you could access the data without a proper key.


----------



## George (Nov 4, 2020)

Maybe some brute-force attack.. He didn't say what type of encryption was used. ;D


----------



## SirDice (Nov 4, 2020)

Judging by the naming of the key, I'm going to say geli(8). Good luck trying to brute-force that.


----------



## Deleted member 60479 (Nov 4, 2020)

I have the passphrase. I just don't have the key-file ada1.key


----------



## SirDice (Nov 4, 2020)

jackson said:


> Is there a key file for the operating system as well, when it is encrypted?


If you used full disk encryption, no. The whole disk is encrypted with that same key.



jackson said:


> I have the passphrase. I just don't have the key-file ada1.eli


The password is useless without the key and the key is useless without the password. You need to have *both* to unlock the encryption.

I once did something similar. Had an encrypted external drive. Reinstalled the machine and forgot to backup the key. So the data on the external drive was lost too. There is no way to recover that key or the password if you lose either one.


----------



## Deleted member 60479 (Nov 4, 2020)

So, why is my external backup disk encrypted with a key and not my OS?


----------



## SirDice (Nov 4, 2020)

jackson said:


> So, why is my external backup disk encrypted with a key and not my OS?


Oh, wait, I misunderstood the previous remarks. Maybe, just maybe, you can find a backup of your key in /var/backup/.


----------



## Deleted member 60479 (Nov 4, 2020)

Sometimes encryption hurts you more than it protects you. I just don't get it. Why no key-file for the installed machine.


----------



## SirDice (Nov 4, 2020)

jackson said:


> Sometimes encryption hurts you more than it protects you.


The disk itself could simply die too. But yes, encryption does mean you need to take really good care of your keys. Back them up and store them somewhere safe (not on the disk that requires that key to access it).



jackson said:


> Why no key-file for the installed machine.


Why would there be a key file for the installed machine?


----------



## Deleted member 60479 (Nov 4, 2020)

I'm not smart enough to get it. Why a key-file then for the external backup?


----------



## SirDice (Nov 4, 2020)

jackson said:


> Why a key-file then for the external backup?


Because you configured it that way. You can use a passphrase, a key or both. If you configured it with both a key _and_ a passphrase, you're going to need both to unlock it. 



> The user keys are made up of an optional combination of random bytes from a file, /root/da2.key, and/or a passphrase.


Procedure 17.4. Encrypting a Partition with geli


```
User Key
     Each stored copy of the Master Key is encrypted with a User Key, which is
     generated by the geli utility from a passphrase and/or a keyfile.  The
     geli utility first reads all parts of the keyfile in the order specified
     on the command line, then reads all parts of the stored passphrase in the
     order specified on the command line.  If no passphrase parts are
     specified, the system prompts the user to enter the passphrase.  The
     passphrase is optionally strengthened by PKCS#5v2.  The User Key is a
     digest computed over the concatenated keyfile and passphrase.
```
From geli(8), take special note of the last sentence.


----------



## rootbert (Nov 4, 2020)

ahm, because you initialized it with a key-file?


----------



## Deleted member 60479 (Nov 4, 2020)

I get it. So a key file and a passphrase secures your data even more than just a passphrase. For the installed machine you may only use a passphrase. Thanks.


----------



## SirDice (Nov 4, 2020)

jackson said:


> So a key file and a passphrase secures your data even more than just a passphrase.


Yes, exactly. It's a 2-factor authentication, it's something you have (the key) and something you know (the passphrase).


----------



## Deleted member 60479 (Nov 4, 2020)

thank you


----------



## Deleted member 60479 (Nov 24, 2020)

Am i able to consistently mount the same encrypted disk in fstab. Geom names jumps around changing from da0 to da1 etc


----------



## SirDice (Nov 24, 2020)

Use labels. 









						Labeling partitions done right on modern computers.
					

If you have ever added or removed a disk from your computer running FreeBSD, you have probably experienced that device names had moved around after a reboot and FreeBSD wouldn't boot anymore or a ZFS pool failed. Labels can work around that.  Before we start, it’s important to know that there...




					forums.freebsd.org


----------



## Deleted member 60479 (Nov 27, 2020)

Thank you, sir.


----------



## ralphbsz (Nov 28, 2020)

Hey, you're doing better than I am. I have an external backup disk, which is fully encrypted and used for offsite (away from home) safety. I have the passphrase recorded, that's not the problem. The problem is that the whole disk is lost. Usually, it is stored in my office. But I know I took it home before the Covid lockdown, and I have updated it at home once (that's in the log file), and I have not been in my office at all since February. It might be stored in my wife's office ... so I asked her to look absolutely everywhere, and she searched the place and didn't find it. Or it could be at home, and we've spent about 3 hours looking everywhere, and it is nowhere to be found. So I have a key and no disk.

The obvious solution was: find another external portable disk, initialize it, write a new backup on it. All done, except that it is still sitting on the desk at home, waiting to be taken to my wife's office.


----------



## Deleted member 60479 (Nov 28, 2020)

You have the key but no disk.
I have the disk but no key.
Great.


----------

