From owner-freebsd-stable@FreeBSD.ORG Wed Mar 7 17:01:51 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DD75106567D for ; Wed, 7 Mar 2012 17:01:51 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.39]) by mx1.freebsd.org (Postfix) with ESMTP id F1B3B8FC12 for ; Wed, 7 Mar 2012 17:01:50 +0000 (UTC) Received: from [109.85.174.237] (helo=fabiankeil.de) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1S5K2s-0004DM-Gl; Wed, 07 Mar 2012 17:48:58 +0100 Date: Wed, 7 Mar 2012 17:48:50 +0100 From: Fabian Keil To: "xenophon\\+freebsd" Message-ID: <20120307174850.746a6b0a@fabiankeil.de> In-Reply-To: References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/97pCo_tkLdsB6o.JsP4uk2a"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD root on a geli-encrypted ZFS pool X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2012 17:01:51 -0000 --Sig_/97pCo_tkLdsB6o.JsP4uk2a Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable "xenophon\\+freebsd" wrote: > I have posted revised instructions for installing FreeBSD to an > encrypted ZFS pool on my blog: >=20 > https://web.irtnog.org/~xenophon/blog/revised-freebsd-root-zfs-geli >=20 > The entire procedure is documented in a way suitable for scripting. I > would be very interested in the community's feedback. It's not clear to me why you enable geli integrity verification. Given that it is single-sector-based it seems inferior to ZFS's integrity checks in every way and could actually prevent ZFS from properly detecting (and depending on the pool layout correcting) checksum errors itself. I'm also wondering if you actually benchmarked the difference between HMAC/MD5 and HMAC/SHA256. Unless the difference can be easily measured, I'd probably stick with the recommendation. I would also be interested in benchmarks that show that geli(8)'s recommendation to increase geli's block size to 4096 bytes makes sense for ZFS. Is anyone aware of any? Fabian --Sig_/97pCo_tkLdsB6o.JsP4uk2a Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk9XkXsACgkQBYqIVf93VJ3EbwCgmVtNA0onvXR17fHKi/h1yGhQ CsIAnirIFlGX8vv+TnFCYp/fBTGu9dgG =3xak -----END PGP SIGNATURE----- --Sig_/97pCo_tkLdsB6o.JsP4uk2a--