Re: GELI zfs encryption removal

In reply to: void : "GELI zfs encryption removal"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Damjan Jovanovic <damjan.jov_at_gmail.com>
Date: Thu, 15 Feb 2024 17:52:04 UTC

On Wed, Feb 14, 2024 at 11:09 PM void <void@f-m.fm> wrote:

> Hi,
>
> I'd like to remove GELI encryption. It was installed
> when the OS was installed; the option to encrypt data was
> chosen when auto-zfs was selected.
>
> At the moment, when it reboots, it prompts for the GELI
> passphrase, which I have to enter from the console[1], and it
> then boots normally. [1] is a nuisance to access, so I'd like to
> (safely) remove it. Is this possible, without having to transfer
> all the data out, reformat, then transfer it all back in again?
>
>
Hi

It should be possible in theory, but some development would be needed
before you could do it in practice.

On Linux there is the FIBMAP ioctl, which can tell the caller the offset on
the filesystem's block device for a given file block (or some special value
if the block is sparse). There are tools like convertfs and fstransform
[1], which can reformat the block device to a different filesystem
in-place. They start by (1) creating a sparse file as large as the block
device, (2) loop-mounting and formatting that sparse file with the new
filesystem, (3) moving all the files from the underlying filesystem into
this new filesystem. At that point, the old filesystem has a single large
file, containing the new filesystem and all the files. Every block in that
file is then scanned with the FIBMAP ioctl to discover where on the block
device it lies. Finally, the blocks are moved around, so each is in the
right place for the block device to contain the new filesystem.

Now if FreeBSD has a similar ioctl (when last I checked it didn't), a
similar process could be used to permanently decrypt a GELI block device.
The block rearrangement step at the end would need to read blocks from
GELI, but write them to the GEOM provider under GELI. Also GELI uses cipher
block chaining, which means blocks relate to some of their adjacent blocks,
and cannot be overwritten individually without corrupting the others, so
such a tool would have to move blocks around very carefully.

[1] https://sourceforge.net/projects/fstransform