From owner-freebsd-geom@FreeBSD.ORG Sun Jan 13 23:15:42 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50B3316A41B for ; Sun, 13 Jan 2008 23:15:42 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 04C7013C461 for ; Sun, 13 Jan 2008 23:15:40 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d4e.q.ppp-pool.de [89.53.125.78]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id D0379128844 for ; Sun, 13 Jan 2008 23:42:44 +0100 (CET) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id CF47A3F467 for ; Sun, 13 Jan 2008 23:42:27 +0100 (CET) Message-ID: <478A93D4.3030200@vwsoft.com> Date: Sun, 13 Jan 2008 23:42:28 +0100 From: Volker User-Agent: Thunderbird 2.0.0.9 (X11/20071127) MIME-Version: 1.0 To: freebsd-geom@freebsd.org X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1200868959.57332@zfQ9exRwIWcL38frRQ3Rkg X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Subject: geli(8) manpage X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jan 2008 23:15:42 -0000 Hi! quote from geli(8): You are the security-person in your company. Create an encrypted provider for use by the user, but remember that users forget their passphrases, so back Master Key up with your own random key: # dd if=/dev/random of=/mnt/pendrive/keys/`hostname` bs=64 count=1 # geli init -P -K /mnt/pendrive/keys/`hostname` /dev/ad0s1e # geli backup /dev/ad0s1e /mnt/pendrive/backups/`hostname` (use key number 0, so the encrypted Master Key by you will be overwritten) # geli setkey -n 0 -k /mnt/pendrive/keys/`hostname` /dev/ad0s1e (allow the user to enter his passphrase) Enter new passphrase: Reenter new passphrase: /quote When trying this scenario, geli claims about the "setkey -n 0" command with "geli: Missing -p flag." All works well with the -p flag, so I guess the manpage is wrong here? Volker From owner-freebsd-geom@FreeBSD.ORG Sun Jan 13 23:15:42 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51F6A16A420 for ; Sun, 13 Jan 2008 23:15:42 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 049FD13C459 for ; Sun, 13 Jan 2008 23:15:40 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d4e.q.ppp-pool.de [89.53.125.78]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 48ECC12883F for ; Sun, 13 Jan 2008 23:42:13 +0100 (CET) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id BA6B93F442 for ; Sun, 13 Jan 2008 23:42:06 +0100 (CET) Message-ID: <478A93BF.4070404@vwsoft.com> Date: Sun, 13 Jan 2008 23:42:07 +0100 From: Volker User-Agent: Thunderbird 2.0.0.9 (X11/20071127) MIME-Version: 1.0 To: freebsd-geom@freebsd.org X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1200868927.77491@PYaVwWKTEjMPV+RrvEIDTw X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Subject: how-to: encryption + journaling (geli + gjournal) X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jan 2008 23:15:42 -0000 For the archives (as I haven't found a nice how-to on this topic): A short how-to to get geli + gjournal running smoothly (the lazy way, depending mostly on OS infrastructure, no script hacking needed). - set up your geli provider: geli load geli init /dev/ad0s1d # check geli(8) for this geli attach /dev/ad0s1d dd if=/dev/random of=/dev/ad0s1d.eli bs=1m # (use higher values bs=... for faster operation) - set up journaling gjournal load gjournal label /dev/ad0s1d.eli newfs -J /dev/ad0s1d.eli.journal /etc/fstab: /dev/ad0s1d.eli.journal /anywhere ufs rw,async,late 2 2 /etc/rc.conf: geli_devices="ad0s1d" geli_ad0s1d_flags="" # depends on how you've setup geli geli_ad0s1d_autodetach="NO" /boot/loader.conf geom_eli_load="YES" geom_journal_load="YES" Warning: If you make a mistake, your machine will go into single user mode on reboot. Don't try this w/o console access. For a desktop machine, using a passphrase is not that bad (beware of key loggers). It's probably not *the* solution for everybody, but isn't that easy to get security and fault tolerance? From owner-freebsd-geom@FreeBSD.ORG Mon Jan 14 01:37:00 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CFB7716A418 for ; Mon, 14 Jan 2008 01:37:00 +0000 (UTC) (envelope-from fbsd06+SE=0ff4ba91@mlists.homeunix.com) Received: from turtle-out.mxes.net (turtle-out.mxes.net [216.86.168.191]) by mx1.freebsd.org (Postfix) with ESMTP id AAEAE13C44B for ; Mon, 14 Jan 2008 01:37:00 +0000 (UTC) (envelope-from fbsd06+SE=0ff4ba91@mlists.homeunix.com) Received: from mxout-04.mxes.net (mxout-04.mxes.net [216.86.168.179]) by turtle-in.mxes.net (Postfix) with ESMTP id 41CB7163F5B for ; Sun, 13 Jan 2008 20:14:25 -0500 (EST) Received: from gumby.homeunix.com. (unknown [87.81.140.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTP id 9ED95D04FF for ; Sun, 13 Jan 2008 20:14:20 -0500 (EST) Date: Mon, 14 Jan 2008 01:14:12 +0000 From: RW To: freebsd-geom@freebsd.org Message-ID: <20080114011412.33a91fac@gumby.homeunix.com.> In-Reply-To: <478A93BF.4070404@vwsoft.com> References: <478A93BF.4070404@vwsoft.com> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.12.5; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: how-to: encryption + journaling (geli + gjournal) X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 01:37:00 -0000 On Sun, 13 Jan 2008 23:42:07 +0100 Volker wrote: > For the archives (as I haven't found a nice how-to on this topic): > > A short how-to to get geli + gjournal running smoothly (the lazy way, > depending mostly on OS infrastructure, no script hacking needed). > > - set up your geli provider: > geli load > geli init /dev/ad0s1d # check geli(8) for this > geli attach /dev/ad0s1d > dd if=/dev/random of=/dev/ad0s1d.eli bs=1m # (use higher values bs=... > for faster operation) It would probably be faster to fill /dev/ad0s1d from /dev/random before doing the geli init - there's no point in encrypting the random numbers. It would also ensure that the whole of ad0s1d is pre-filled, and not just the part accessible as ad0s1d.eli. From owner-freebsd-geom@FreeBSD.ORG Mon Jan 14 11:06:59 2008 Return-Path: Delivered-To: freebsd-geom@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94FB316A4EB for ; Mon, 14 Jan 2008 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8198A13C4E7 for ; Mon, 14 Jan 2008 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0EB6xVV052548 for ; Mon, 14 Jan 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0EB6wuv052544 for freebsd-geom@FreeBSD.org; Mon, 14 Jan 2008 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 Jan 2008 11:06:58 GMT Message-Id: <200801141106.m0EB6wuv052544@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-geom@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-geom@FreeBSD.org X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 11:06:59 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/73177 geom kldload geom_* causes panic due to memory exhaustion o kern/76538 geom [gbde] nfs-write on gbde partition stalls and continue o kern/83464 geom [geom] [patch] Unhandled malloc failures within libgeo o kern/84556 geom [geom] GBDE-encrypted swap causes panic at shutdown o kern/87544 geom [gbde] mmaping large files on a gbde filesystem deadlo o kern/89102 geom [geom_vfs] [panic] panic when forced unmount FS from u o bin/90093 geom fdisk(8) incapable of altering in-core geometry o kern/90582 geom [geom_mirror] [panic] Restore cause panic string (ffs_ o kern/98034 geom [geom] dereference of NULL pointer in acd_geom_detach o kern/104389 geom [geom] [patch] sys/geom/geom_dump.c doesn't encode XML o kern/113419 geom [geom] geom fox multipathing not failing back o misc/113543 geom [geom] [patch] geom(8) utilities don't work inside the o kern/113957 geom [gmirror] gmirror is intermittently reporting a degrad o kern/115572 geom [gbde] gbde partitions fail at 28bit/48bit LBA address 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/78131 geom gbde "destroy" not working. o kern/79251 geom [2TB] newfs fails on 2.6TB gbde device o kern/94632 geom [geom] Kernel output resets input while GELI asks for f kern/105390 geom [geli] filesystem on a md backed by sparse file with s o kern/107707 geom [geom] [patch] add new class geom_xbox360 to slice up p bin/110705 geom gmirror control utility does not exit with correct exi o kern/113837 geom [geom] unable to access 1024 sector size storage o kern/113885 geom [geom] [patch] improved gmirror balance algorithm o kern/114532 geom GEOM_MIRROR shows up in kldstat even if compiled in th o kern/115547 geom [geom] [patch] for GEOM Eli to get password from stdin 10 problems total. From owner-freebsd-geom@FreeBSD.ORG Mon Jan 14 12:12:11 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D1A116A41A for ; Mon, 14 Jan 2008 12:12:11 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id DE01E13C4FB for ; Mon, 14 Jan 2008 12:12:10 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c0c.q.ppp-pool.de [89.53.124.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 7F69812883F for ; Mon, 14 Jan 2008 13:12:01 +0100 (CET) Received: from cesar.sz.vwsoft.com (unknown [192.168.16.33]) by mail.vtec.ipme.de (Postfix) with ESMTP id 985E03F442; Mon, 14 Jan 2008 13:11:57 +0100 (CET) Message-ID: <478B5F8A.7090408@vwsoft.com> Date: Mon, 14 Jan 2008 13:11:38 +0000 From: Volker User-Agent: Thunderbird 2.0.0.9 (X11/20080113) MIME-Version: 1.0 To: RW References: <478A93BF.4070404@vwsoft.com> <20080114011412.33a91fac@gumby.homeunix.com.> In-Reply-To: <20080114011412.33a91fac@gumby.homeunix.com.> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1200917518.3217@PlA0+9754E/TrBVLe87iCw X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-geom@freebsd.org Subject: Re: Re: how-to: encryption + journaling (geli + gjournal) X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 12:12:11 -0000 On 12/23/-58 19:59, RW wrote: > On Sun, 13 Jan 2008 23:42:07 +0100 > Volker wrote: > >> For the archives (as I haven't found a nice how-to on this topic): >> >> A short how-to to get geli + gjournal running smoothly (the lazy way, >> depending mostly on OS infrastructure, no script hacking needed). >> >> - set up your geli provider: >> geli load >> geli init /dev/ad0s1d # check geli(8) for this >> geli attach /dev/ad0s1d >> dd if=/dev/random of=/dev/ad0s1d.eli bs=1m # (use higher values bs=... >> for faster operation) > > It would probably be faster to fill /dev/ad0s1d from /dev/random before > doing the geli init - there's no point in encrypting the random numbers. > It would also ensure that the whole of ad0s1d is pre-filled, and not > just the part accessible as ad0s1d.eli. If you think it doesn't make sense or is a fault, please file a PR as filling the data provider with random data has been taken from the manpage geli(8). Otherwise I'm considering this being a bike shed. If you know it better, I'm wondering why you haven't written a how to in the past? From owner-freebsd-geom@FreeBSD.ORG Mon Jan 14 21:15:52 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54F5516A418 for ; Mon, 14 Jan 2008 21:15:52 +0000 (UTC) (envelope-from fbsd06+SE=0ff4ba91@mlists.homeunix.com) Received: from mxout-04.mxes.net (mxout-04.mxes.net [216.86.168.179]) by mx1.freebsd.org (Postfix) with ESMTP id 2405E13C4E7 for ; Mon, 14 Jan 2008 21:15:52 +0000 (UTC) (envelope-from fbsd06+SE=0ff4ba91@mlists.homeunix.com) Received: from gumby.homeunix.com. (unknown [87.81.140.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTP id CA34CD05AC for ; Mon, 14 Jan 2008 16:15:46 -0500 (EST) Date: Mon, 14 Jan 2008 21:15:37 +0000 From: RW To: freebsd-geom@freebsd.org Message-ID: <20080114211537.1f8ed0ff@gumby.homeunix.com.> In-Reply-To: <478B5F8A.7090408@vwsoft.com> References: <478A93BF.4070404@vwsoft.com> <20080114011412.33a91fac@gumby.homeunix.com.> <478B5F8A.7090408@vwsoft.com> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.12.5; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: how-to: encryption + journaling (geli + gjournal) X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 21:15:52 -0000 On Mon, 14 Jan 2008 13:11:38 +0000 Volker wrote: > On 12/23/-58 19:59, RW wrote: > > It would probably be faster to fill /dev/ad0s1d from /dev/random > > before doing the geli init - there's no point in encrypting the > > random numbers. It would also ensure that the whole of ad0s1d is > > pre-filled, and not just the part accessible as ad0s1d.eli. > > If you think it doesn't make sense or is a fault, please file a PR as > filling the data provider with random data has been taken from the > manpage geli(8). It's only an example. > > Otherwise I'm considering this being a bike shed. > > If you know it better, I'm wondering why you haven't written a how to > in the past? There's no need to be rude, I'm only trying to help. In my experience writing from /dev/random to a raw partition is almost twice as fast as writing to an .eli device - essentially it's single verses double encryption. I recently filled a raw partition on a 500GB drive and it took 6 hours, doing it on the eli device would have taken about 11 hours. I think you'd have to have a lot of time on your hands to consider this a bike shed. From owner-freebsd-geom@FreeBSD.ORG Wed Jan 16 16:59:29 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D5D216A421 for ; Wed, 16 Jan 2008 16:59:29 +0000 (UTC) (envelope-from crahman@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.227]) by mx1.freebsd.org (Postfix) with ESMTP id BE0A713C447 for ; Wed, 16 Jan 2008 16:59:28 +0000 (UTC) (envelope-from crahman@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so229369nzf.13 for ; Wed, 16 Jan 2008 08:59:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=cTis91OAiH22TwEFd/N8RpKttpFFXjq+kZNYCm4SGGU=; b=Fh0G03f/XJBiw3fP6+R9e7tiZb2FIZMk3wibZQJ6FZ1yrZ2Vap7IVN4mFy2xz/Bk79q4OVQl7sZAF7ogKbnkygOlDWjT9zNoCYhz2Iq0Toomud1JOUCQ8m12vkleRmH7YvS6xF6B12ZO7t5/1hg2MRU1UZzC7iddMYgounbTx/E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=jDV1e37+5lx7nbbrsTmfGua4QuMLM/982HaISYcPLkj3FHCKn73uW5fzVpfyi+osNNit1AgrG9wLKnj16zQVlOh8SQnKPNPhJvrJb/b+dLFoJHmKmE1E6zZBvmLyfp+ALkXstZ9MuKJTtSiW4xWHTn78OPdWYXXBEOjssgM0W4o= Received: by 10.114.88.1 with SMTP id l1mr1126071wab.79.1200501149932; Wed, 16 Jan 2008 08:32:29 -0800 (PST) Received: by 10.115.19.7 with HTTP; Wed, 16 Jan 2008 08:32:29 -0800 (PST) Message-ID: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> Date: Wed, 16 Jan 2008 09:32:29 -0700 From: "Cyrus Rahman" To: freebsd-geom@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Authentication with geom_eli X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jan 2008 16:59:29 -0000 The addition of data integrity verification to geom_eli is a great thing and very useful. As it is implemented, it also provides some considerable measure of authentication. This also has utility, but for the applications I have in mind it is less useful than either encryption or integrity verification. With this in mind, the addition of a less expensive authentication algorithm, say a CRC, which would provide still provide a check on the channel between geom_eli and the physical disk sectors without the overhead of md5 or sha256, would be extremely useful. From owner-freebsd-geom@FreeBSD.ORG Wed Jan 16 20:05:05 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CEFD16A417 for ; Wed, 16 Jan 2008 20:05:05 +0000 (UTC) (envelope-from gcubfg-freebsd-geom@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 439ED13C43E for ; Wed, 16 Jan 2008 20:05:05 +0000 (UTC) (envelope-from gcubfg-freebsd-geom@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JFDz8-0001gO-GH for freebsd-geom@freebsd.org; Wed, 16 Jan 2008 19:31:38 +0000 Received: from 89-172-60-227.adsl.net.t-com.hr ([89.172.60.227]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 16 Jan 2008 19:31:38 +0000 Received: from ivoras by 89-172-60-227.adsl.net.t-com.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 16 Jan 2008 19:31:38 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-geom@freebsd.org From: Ivan Voras Date: Wed, 16 Jan 2008 20:31:32 +0100 Lines: 14 Message-ID: References: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 89-172-60-227.adsl.net.t-com.hr User-Agent: Thunderbird 2.0.0.9 (X11/20071122) In-Reply-To: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> Sender: news Subject: Re: Authentication with geom_eli X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jan 2008 20:05:05 -0000 Cyrus Rahman wrote: > With this in mind, the addition of a less expensive authentication > algorithm, say a CRC, which would provide still provide a check on the > channel between geom_eli and the physical disk sectors without the > overhead of md5 or sha256, would be extremely useful. I think this discussion was held in relation with ZFS (which by default does strong hashing of ALL data ALWAYS) and that somebody concluded from experiments that, given the difference in speed between modern CPUs and modern drives, there wasn't much difference between using CRC32 and using a strong hash. Of course, on slower / embedded devices the situation is much different. From owner-freebsd-geom@FreeBSD.ORG Thu Jan 17 01:52:19 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D80C316A41A; Thu, 17 Jan 2008 01:52:19 +0000 (UTC) (envelope-from afields@ncf.ca) Received: from saruman.ncf.ca (saruman.ncf.ca [134.117.136.37]) by mx1.freebsd.org (Postfix) with ESMTP id AFCFC13C45B; Thu, 17 Jan 2008 01:52:19 +0000 (UTC) (envelope-from afields@ncf.ca) Received: from [10.0.0.55] (CPE000d88cacd09-CM00159a09ff6e.cpe.net.cable.rogers.com [99.224.17.202]) by saruman.ncf.ca (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTPSA id <0JUR00HJQE5RMH@saruman.ncf.ca>; Wed, 16 Jan 2008 17:51:29 -0500 (EST) Date: Wed, 16 Jan 2008 17:51:21 -0500 From: Allan Fields In-reply-to: To: Ivan Voras Message-id: <75FB90A1-5053-42C6-8466-1C4BF2208EF5@ncf.ca> MIME-version: 1.0 X-Mailer: Apple Mail (2.752.2) Content-type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-transfer-encoding: 7BIT References: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> Cc: freebsd-geom@freebsd.org Subject: Re: Authentication with geom_eli X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jan 2008 01:52:20 -0000 On 16-Jan-08, at 2:31 PM, Ivan Voras wrote: > Cyrus Rahman wrote: > >> With this in mind, the addition of a less expensive authentication >> algorithm, say a CRC, which would provide still provide a check on >> the >> channel between geom_eli and the physical disk sectors without the >> overhead of md5 or sha256, would be extremely useful. > > I think this discussion was held in relation with ZFS (which by > default does strong hashing of ALL data ALWAYS) and that somebody > concluded from experiments that, given the difference in speed > between modern CPUs and modern drives, there wasn't much difference > between using CRC32 and using a strong hash. > > Of course, on slower / embedded devices the situation is much > different. Mind you perhaps this is best implemented as a separate GEOM class all-together. I have had difficulty getting the GELI SHA and MD5 hashing to perform as expected, though it initializes with-out error. Perhaps this works in a new release, I will verify, if not I'll file pr. Thanks, Allan Fields From owner-freebsd-geom@FreeBSD.ORG Thu Jan 17 14:15:28 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C67D16A41A for ; Thu, 17 Jan 2008 14:15:28 +0000 (UTC) (envelope-from crahman@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.183]) by mx1.freebsd.org (Postfix) with ESMTP id 27EC013C46E for ; Thu, 17 Jan 2008 14:15:27 +0000 (UTC) (envelope-from crahman@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1107804waf.3 for ; Thu, 17 Jan 2008 06:15:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=KFbwKPk8Do2/O0OH8ups0vIERbmNejbJtXO8Rg/HBic=; b=uIu1yR17C/BmPSo7nDJ59YSAKnqXG9XlykDK3lE6WtWAkkcEEmpt9xiQvnzAvDmgSOduwbAQclIMu5T2jLxmqXWH7laWCsIySpvdQ5XYDJTWN5KR8yZ80QVVoYrjatIMt3bw6/2jRpjfRJ+J9CuvxK4JJzxk6TaDbW//4YjCyyc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Zc6onpNlBuFeZ3DO9sDAnZOnuSdk/BrehRkqyIGu6pxycJSZYlaY9CRA7f5JSbLSKr25wo3+Z/SqhFVIih7zgpD+46/S6ehXSmm5hUGyMblF+/4WzISWd6v2T6cllM6xsTTqWAzlwFmhV1W4CZHzwUbaeR6XDROFB+q/obyfoag= Received: by 10.114.37.1 with SMTP id k1mr2487234wak.6.1200579326469; Thu, 17 Jan 2008 06:15:26 -0800 (PST) Received: by 10.115.19.7 with HTTP; Thu, 17 Jan 2008 06:15:26 -0800 (PST) Message-ID: <9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0@mail.gmail.com> Date: Thu, 17 Jan 2008 07:15:26 -0700 From: "Cyrus Rahman" To: freebsd-geom@freebsd.org In-Reply-To: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> Subject: Re: Authentication with geom_eli X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jan 2008 14:15:28 -0000 Here are some timings related to different encryption and authentication algorithms. Although the authentication involves extra copying and additional data being written to disk, it is clear the algorithm is also quite significant. The system is a quad processor Q6600 running at 2.4GHz with mid-range SATA disks. Given the considerable performance hit and the fact that for most applications the only viable and useful authentication attacks I can think of would involve replay, which is not detected in the current implementation, I think there is a clear benefit to an algorithm like a CRC to provide data integrity at a lower cost. But I also agree that the ideal place for a CRC style check would be in a separate geom layer. Baseline: dd if=/dev/random of=/dev/mirror/gm0 bs=1m count=200 200+0 records in 200+0 records out 209715200 bytes transferred in 4.733112 secs (44308101 bytes/sec) *** Varied encryption algorithms: geli init -P -e aes -l 256 -s 4096 -K key mirror/gm0 dd if=/dev/random of=/dev/mirror/gm0.eli bs=1m count=200 209715200 bytes transferred in 7.336633 secs (28584666 bytes/sec) geli init -P -e aes -l 128 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 6.919852 secs (30306313 bytes/sec) geli init -P -e blowfish -s 4096 -K key mirror/gm0 209715200 bytes transferred in 9.289385 secs (22575790 bytes/sec) geli init -P -e camellia -s 4096 -K key mirror/gm0 209715200 bytes transferred in 8.384749 secs (25011506 bytes/sec) geli init -P -e 3des -s 4096 -K key mirror/gm0 209715200 bytes transferred in 18.362226 secs (11421012 bytes/sec) *** Varied authentication algorithms: geli init -P -e aes -l 256 -a hmac/sha512 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 12.553233 secs (16706071 bytes/sec) geli init -P -e aes -l 256 -a hmac/sha256 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 12.487267 secs (16794323 bytes/sec) geli init -P -e aes -l 256 -a hmac/sha1 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 12.101804 secs (17329251 bytes/sec) geli init -P -e aes -l 256 -a hmac/ripemd160 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 11.301225 secs (18556856 bytes/sec) geli init -P -e aes -l 256 -a hmac/md5 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 10.345111 secs (20271914 bytes/sec) From owner-freebsd-geom@FreeBSD.ORG Thu Jan 17 15:18:02 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EADE016A420 for ; Thu, 17 Jan 2008 15:18:02 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 64BF713C442 for ; Thu, 17 Jan 2008 15:18:02 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 14E1245E94; Thu, 17 Jan 2008 15:47:26 +0100 (CET) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id F12BD45E8F; Thu, 17 Jan 2008 15:47:20 +0100 (CET) Date: Thu, 17 Jan 2008 15:47:12 +0100 From: Pawel Jakub Dawidek To: Cyrus Rahman Message-ID: <20080117144712.GH8820@garage.freebsd.pl> References: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> <9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Ucgz5Oc/kKURWzXs" Content-Disposition: inline In-Reply-To: <9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0@mail.gmail.com> User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-geom@freebsd.org Subject: Re: Authentication with geom_eli X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jan 2008 15:18:03 -0000 --Ucgz5Oc/kKURWzXs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 17, 2008 at 07:15:26AM -0700, Cyrus Rahman wrote: > Here are some timings related to different encryption and > authentication algorithms. Although the authentication involves extra > copying and additional data being written to disk, it is clear the > algorithm is also quite significant. >=20 > The system is a quad processor Q6600 running at 2.4GHz with mid-range > SATA disks. >=20 > Given the considerable performance hit and the fact that for most > applications the only viable and useful authentication attacks I can > think of would involve replay, which is not detected in the current > implementation, I think there is a clear benefit to an algorithm like > a CRC to provide data integrity at a lower cost. >=20 > But I also agree that the ideal place for a CRC style check would be > in a separate geom layer. >=20 > Baseline: > dd if=3D/dev/random of=3D/dev/mirror/gm0 bs=3D1m count=3D200 > 200+0 records in > 200+0 records out > 209715200 bytes transferred in 4.733112 secs (44308101 bytes/sec) >=20 > *** > Varied encryption algorithms: > geli init -P -e aes -l 256 -s 4096 -K key mirror/gm0 > dd if=3D/dev/random of=3D/dev/mirror/gm0.eli bs=3D1m count=3D200 > 209715200 bytes transferred in 7.336633 secs (28584666 bytes/sec) >=20 > geli init -P -e aes -l 128 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 6.919852 secs (30306313 bytes/sec) >=20 > geli init -P -e blowfish -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 9.289385 secs (22575790 bytes/sec) >=20 > geli init -P -e camellia -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 8.384749 secs (25011506 bytes/sec) >=20 > geli init -P -e 3des -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 18.362226 secs (11421012 bytes/sec) >=20 > *** > Varied authentication algorithms: > geli init -P -e aes -l 256 -a hmac/sha512 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 12.553233 secs (16706071 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/sha256 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 12.487267 secs (16794323 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/sha1 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 12.101804 secs (17329251 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/ripemd160 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 11.301225 secs (18556856 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/md5 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 10.345111 secs (20271914 bytes/sec) Could you retry with /dev/zero instead of /dev/random and also try 'null' as encryption algorithm? --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --Ucgz5Oc/kKURWzXs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHj2pwForvXbEpPzQRAiePAKCJbBPaJzZmse5AEkKBKg+ddLPmyQCg8HnS Gq/m4wMTzLI61bR6frN/Gbo= =M0EU -----END PGP SIGNATURE----- --Ucgz5Oc/kKURWzXs-- From owner-freebsd-geom@FreeBSD.ORG Thu Jan 17 15:47:28 2008 Return-Path: Delivered-To: freebsd-geom@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7961716A41A; Thu, 17 Jan 2008 15:47:28 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6C4F013C4CE; Thu, 17 Jan 2008 15:47:28 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0HFlS5X049658; Thu, 17 Jan 2008 15:47:28 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0HFlS0H049654; Thu, 17 Jan 2008 15:47:28 GMT (envelope-from linimon) Date: Thu, 17 Jan 2008 15:47:28 GMT Message-Id: <200801171547.m0HFlS0H049654@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-geom@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/119743: [geom] geom label for cds is keeped after dismount and eject X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jan 2008 15:47:28 -0000 Old Synopsis: geom label for cds is keeped after dismount and eject New Synopsis: [geom] geom label for cds is keeped after dismount and eject Responsible-Changed-From-To: freebsd-bugs->freebsd-geom Responsible-Changed-By: linimon Responsible-Changed-When: Thu Jan 17 15:47:11 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=119743 From owner-freebsd-geom@FreeBSD.ORG Thu Jan 17 15:55:21 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EEE216A41B for ; Thu, 17 Jan 2008 15:55:21 +0000 (UTC) (envelope-from crahman@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.178]) by mx1.freebsd.org (Postfix) with ESMTP id 002FC13C45A for ; Thu, 17 Jan 2008 15:55:20 +0000 (UTC) (envelope-from crahman@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1154290waf.3 for ; Thu, 17 Jan 2008 07:55:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=fxKKSAEWtGYV0euckM1q4CycGrcZRovZkOyx1XQkydA=; b=SEkRANE8nqlpzw7H/SqAUXYj0hWbmtye65/NNsxCwohq6l4RZpDJBV9j4pieM9eUMZLG7FdaC12jlFr8IoP8hN/i1zWkf1GqiROlPahZu5NSYnJcL3nItr9GHG409beVbcg303tEku6ukCUGYSkSbwXyGwPD0Ssaq0Z04SqGb34= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OLnhxF5P+Qn3Mz98CrjzHt7F8KP8d7L+rX54M7Yl4gE/AmPmTEsCjoOI92+epS0Zj+ut3fwr18xviPRMXq13vnhJP79vp3t8d6MkrsAwdSLYjPgqQwsKFR4VS/BqsCafsHvLlzstRR20L+rvpPIrUc1/De6AsZ47wUFs66zBGQ8= Received: by 10.114.190.6 with SMTP id n6mr2589855waf.51.1200585320589; Thu, 17 Jan 2008 07:55:20 -0800 (PST) Received: by 10.115.19.7 with HTTP; Thu, 17 Jan 2008 07:55:20 -0800 (PST) Message-ID: <9e77bdb50801170755y4545ca81m2e82a5913097a32a@mail.gmail.com> Date: Thu, 17 Jan 2008 08:55:20 -0700 From: "Cyrus Rahman" To: freebsd-geom@freebsd.org In-Reply-To: <9e77bdb50801170736t17c14d39w58b260553ccdc7b9@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> <9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0@mail.gmail.com> <20080117144712.GH8820@garage.freebsd.pl> <9e77bdb50801170736t17c14d39w58b260553ccdc7b9@mail.gmail.com> Subject: Authentication with geom_eli X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jan 2008 15:55:21 -0000 As requested, here are additional measurements: Baseline: dd if=/dev/zero of=/dev/mirror/gm0 bs=1m count=200 200+0 records in 200+0 records out 209715200 bytes transferred in 2.755105 secs (76118768 bytes/sec) *** Varied encryption algorithms: geli init -P -e aes -l 256 -s 4096 -K key mirror/gm0 dd if=/dev/zero of=/dev/mirror/gm0.eli bs=1m count=200 209715200 bytes transferred in 4.223251 secs (49657289 bytes/sec) geli init -P -e aes -l 128 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 3.833407 secs (54707259 bytes/sec) geli init -P -e blowfish -s 4096 -K key mirror/gm0 209715200 bytes transferred in 6.088630 secs (34443741 bytes/sec) geli init -P -e camellia -s 4096 -K key mirror/gm0 209715200 bytes transferred in 5.171555 secs (40551671 bytes/sec) geli init -P -e 3des -s 4096 -K key mirror/gm0 209715200 bytes transferred in 15.046219 secs (13938066 bytes/sec) geli init -P -e null -s 4096 -K key mirror/gm0 209715200 bytes transferred in 2.798004 secs (74951718 bytes/sec) *** Varied authentication algorithms: geli init -P -e aes -l 256 -a hmac/sha512 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 9.422139 secs (22257706 bytes/sec) geli init -P -e null -l 256 -a hmac/sha512 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 7.228704 secs (29011452 bytes/sec) geli init -P -e aes -l 256 -a hmac/sha256 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 9.344125 secs (22443535 bytes/sec) geli init -P -e null -l 256 -a hmac/sha256 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 7.147001 secs (29343106 bytes/sec) geli init -P -e aes -l 256 -a hmac/sha1 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 8.855081 secs (23683036 bytes/sec) geli init -P -e null -l 256 -a hmac/sha1 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 6.622714 secs (31666051 bytes/sec) geli init -P -e aes -l 256 -a hmac/ripemd160 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 8.029377 secs (26118490 bytes/sec) geli init -P -e null -l 256 -a hmac/ripemd160 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 5.899265 secs (35549377 bytes/sec) geli init -P -e aes -l 256 -a hmac/md5 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 7.094904 secs (29558568 bytes/sec) geli init -P -e null -l 256 -a hmac/md5 -s 4096 -K key mirror/gm0 209715200 bytes transferred in 4.940019 secs (42452307 bytes/sec)