From nobody Thu Jan 12 19:50:20 2023
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NtFX728Rwz2qlrr
	for <questions@mlmmj.nyi.freebsd.org>; Thu, 12 Jan 2023 19:50:31 +0000 (UTC)
	(envelope-from pete@nomadlogic.org)
Received: from mail.nomadlogic.org (mail.nomadlogic.org [66.165.241.226])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.nomadlogic.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NtFX61KYwz4PVW
	for <questions@freebsd.org>; Thu, 12 Jan 2023 19:50:30 +0000 (UTC)
	(envelope-from pete@nomadlogic.org)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=nomadlogic.org header.s=04242021 header.b=2amMMdqZ;
	spf=pass (mx1.freebsd.org: domain of pete@nomadlogic.org designates 66.165.241.226 as permitted sender) smtp.mailfrom=pete@nomadlogic.org;
	dmarc=pass (policy=quarantine) header.from=nomadlogic.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomadlogic.org;
	s=04242021; t=1673553021;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=2W69sCpTe2O0sFPvGug17f/ks7m7D/AK3y4pkyPg88Y=;
	b=2amMMdqZTtziREMPdbg44TO9ImfVfkH+AjbLZ29AxkodNY2HZOeBLR6t8DOcArBzsdIDV2
	OBF9z26HswSIrEF/1j8+/1aWkLeenb7lVsZ/sPLJTv5rlKmp5nwn68NnLJxMT2h4W/byY8
	lng1wmB9IyNUCxqzgE7gVfu1SGUX9GQ=
Received: from [192.168.1.160] (cpe-24-24-168-214.socal.res.rr.com [24.24.168.214])
	by mail.nomadlogic.org (OpenSMTPD) with ESMTPSA id b14aba17 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO)
	for <questions@freebsd.org>;
	Thu, 12 Jan 2023 19:50:20 +0000 (UTC)
Content-Type: multipart/alternative;
 boundary="------------PEyOXX0G847tc9MxCzlyo8Qb"
Message-ID: <4b19dea9-1447-6aef-ae1e-aab44bcc59b6@nomadlogic.org>
Date: Thu, 12 Jan 2023 11:50:20 -0800
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101
 Thunderbird/102.6.1
Subject: Re: Encrypt an existing file system.
Content-Language: en-US
To: questions@freebsd.org
References: <CA+yoEx_RDj667VqhF7E6kTmh-yCS8aahxzz7cnATSgRXq43eog@mail.gmail.com>
 <ucoqofybEMdZBYpTB6mBzdEtxUu6WpL1VYNWadRQ_G3UgJ3TH_3y_UXlpWi4ThVliKekQT9CsxKQalNyojVaytcGB-6cqQLuTKtHS1RxazY=@protonmail.com>
From: Pete Wright <pete@nomadlogic.org>
In-Reply-To: <ucoqofybEMdZBYpTB6mBzdEtxUu6WpL1VYNWadRQ_G3UgJ3TH_3y_UXlpWi4ThVliKekQT9CsxKQalNyojVaytcGB-6cqQLuTKtHS1RxazY=@protonmail.com>
X-Spamd-Result: default: False [-3.77 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.77)[-0.773];
	DMARC_POLICY_ALLOW(-0.50)[nomadlogic.org,quarantine];
	R_SPF_ALLOW(-0.20)[+mx];
	R_DKIM_ALLOW(-0.20)[nomadlogic.org:s=04242021];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	DKIM_TRACE(0.00)[nomadlogic.org:+];
	ASN(0.00)[asn:29802, ipnet:66.165.240.0/22, country:US];
	MLMMJ_DEST(0.00)[questions@freebsd.org];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org];
	MID_RHS_MATCH_FROM(0.00)[];
	ARC_NA(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_HAS_DN(0.00)[];
	TO_DN_NONE(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_TLS_ALL(0.00)[]
X-Rspamd-Queue-Id: 4NtFX61KYwz4PVW
X-Spamd-Bar: ---
X-ThisMailContainsUnwantedMimeParts: N

This is a multi-part message in MIME format.
--------------PEyOXX0G847tc9MxCzlyo8Qb
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit



On 1/12/23 11:23, 0x1eef wrote:
> > Is it possible to encrypt those partitions without losing the data?
>
> I wanted to do that before, but found no solutions. The best, and easiest
>  option might be moving the data elsewhere, encrypting the disk, and
> then moving the data back onto the encrypted disk.
>

yea that will probably be the easiest way to go using the native 
tooling.  freebsd's encryption works tools operate on either entire 
disks or partitions:

https://docs.freebsd.org/en/books/handbook/disks/#disks-encrypting

We recently also added support for ZFS filesystem encryption as well, 
but it looks like you are not using ZFS:
https://klarasystems.com/articles/openzfs-native-encryption/

i personally encrypt my disks using geli - then install ZFS on top of 
those encrypted disks.  the goal for me is to ensure that if someone 
were to obtain one of my disks they will not be able to easily access 
the data on the disks (for example swapping out a failed drive in server).

Cheers,
-pete

-- 
Pete Wright
pete@nomadlogic.org
@nomadlogicLA

--------------PEyOXX0G847tc9MxCzlyo8Qb
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <br>
    <br>
    <div class="moz-cite-prefix">On 1/12/23 11:23, 0x1eef wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:ucoqofybEMdZBYpTB6mBzdEtxUu6WpL1VYNWadRQ_G3UgJ3TH_3y_UXlpWi4ThVliKekQT9CsxKQalNyojVaytcGB-6cqQLuTKtHS1RxazY=@protonmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div style="font-family: Arial; font-size: 14px;">&gt; <span
          style="font-family:system-ui, sans-serif;display:inline
          !important">Is it possible to encrypt those partitions without
          losing the data?</span></div>
      <div style="font-family: Arial; font-size: 14px;"><span
          style="font-family:system-ui, sans-serif;display:inline
          !important"><br>
        </span></div>
      <div style="font-size: 14px;">I wanted to do that before, but
        found no solutions. The best, and easiest</div>
      <div style="font-size: 14px;"> option might be moving the data
        elsewhere, encrypting the disk, and </div>
      <div style="font-size: 14px;">then moving the data back onto the
        encrypted disk.</div>
      <div style="font-size: 14px;"><br>
      </div>
    </blockquote>
    <br>
    yea that will probably be the easiest way to go using the native
    tooling.  freebsd's encryption works tools operate on either entire
    disks or partitions:<br>
    <br>
    <a class="moz-txt-link-freetext" href="https://docs.freebsd.org/en/books/handbook/disks/#disks-encrypting">https://docs.freebsd.org/en/books/handbook/disks/#disks-encrypting</a><br>
    <br>
    We recently also added support for ZFS filesystem encryption as
    well, but it looks like you are not using ZFS:<br>
    <a class="moz-txt-link-freetext" href="https://klarasystems.com/articles/openzfs-native-encryption/">https://klarasystems.com/articles/openzfs-native-encryption/</a><br>
    <br>
    i personally encrypt my disks using geli - then install ZFS on top
    of those encrypted disks.  the goal for me is to ensure that if
    someone were to obtain one of my disks they will not be able to
    easily access the data on the disks (for example swapping out a
    failed drive in server).<br>
    <br>
    Cheers,<br>
    -pete<br>
    <pre class="moz-signature" cols="72">-- 
Pete Wright
<a class="moz-txt-link-abbreviated" href="mailto:pete@nomadlogic.org">pete@nomadlogic.org</a>
@nomadlogicLA</pre>
  </body>
</html>

--------------PEyOXX0G847tc9MxCzlyo8Qb--