From owner-freebsd-fs@FreeBSD.ORG  Fri Jun 22 07:51:49 2012
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2489B106564A
	for <freebsd-fs@freebsd.org>; Fri, 22 Jun 2012 07:51:49 +0000 (UTC)
	(envelope-from icameto@gmail.com)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com
	[209.85.212.172])
	by mx1.freebsd.org (Postfix) with ESMTP id 99BDE8FC1D
	for <freebsd-fs@freebsd.org>; Fri, 22 Jun 2012 07:51:48 +0000 (UTC)
Received: by wibhm11 with SMTP id hm11so273489wib.13
	for <freebsd-fs@freebsd.org>; Fri, 22 Jun 2012 00:51:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:content-type; bh=HVlKPLJVfpUTvd9mG7npnl6GA/2ZIs+K7vUej0OPfl4=;
	b=O/i/uX7lP/8WIGQMchCOjnjRqioUyMRaHGk0DilVCA0dbxSxfjNYlDnymfUadG90cl
	KAGfN/fnaV4VyA9KRQ8pb2Qy2Kyu2JDM+yIy36zpptaGbUp42vt/vigwtwMlO2fNW/Ff
	xOz0XFVkh73nt2ANaiucp56IUBrd0oCjJFlmAwrDEIyN6ODyJfSWNJZSULTVH6x5+xdW
	4OWBic3K8s6F1PCJhqq7rWJlvQ7SIdUdTmY+/0J7Opph4nUUEo9Q5g0d45RiBk5o2MYV
	qHLmxkigj/ymCfpswxVOpE86yNaJMU/hKtt98xDKtQ4kgoxzbpP9Knzat0lBHkSc+VTF
	ZIzA==
MIME-Version: 1.0
Received: by 10.216.198.164 with SMTP id v36mr649447wen.199.1340351507569;
	Fri, 22 Jun 2012 00:51:47 -0700 (PDT)
Received: by 10.216.224.228 with HTTP; Fri, 22 Jun 2012 00:51:47 -0700 (PDT)
In-Reply-To: <20120621131443.59eb24f3@fabiankeil.de>
References: <CAMve_NNwowTXS0m58AhQvFvDyg4W-pAoEj72zUMAARhfgStUBw@mail.gmail.com>
	<20120621131443.59eb24f3@fabiankeil.de>
Date: Fri, 22 Jun 2012 10:51:47 +0300
Message-ID: <CAMve_NPs2bYEH3u2cm9AMNVO7f3=EmP9fdqdKaHFe3O=QP0UKA@mail.gmail.com>
From: icameto icameto <icameto@gmail.com>
To: freebsd-fs@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Re: ZFS Encryption with GELI for only /opt partition
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2012 07:51:49 -0000

So much thanks Fabian, especially for yours quick answer and concern. I run
"zpool export opt" and  I would like to explain it clearly. There will be
one disk which will be used for /opt partition as encrypted.  Previously in
UFS I was able to detach the opt partition by using GEOM BDE module via
these steps.
*
# kldload geom_bde
# mkdir /etc/gbde
# gbde init /dev/ad0s1e -i -L /etc/gbde/ad0s1e.lock
# gbde attach /dev/ad0s1e -l /etc/gbde/ad0s1e.lock
# newfs -U -O2 /dev/ad0s1e.bde
# mkdir /encryptedfs
# mount /dev/ad0s1e.bde /encryptedfs
# gbde detach /dev/ad0s1e
# umount /encyrptedfs*

Briefly I want to be able to unmount and mount capabilities without harming
the datasets in pool of ZFS while using ZFS with GELI for encyptioning
purpose. And you know i m capable of unmount the disk(da1.bde etc. ) from
/opt mount point while I was using GEOM BDE. When I unmounted this
disk(da1.bde), I could use da1 for /opt mount point without any data or
dataset loosing .


Dear Fabian, I have tried to exporting pool from ZFS, and you right that
now i can detach from pool. But when I tried to import the old "opt"
pool,I'm getting a warn "cannot import 'opt': no such pool available" about
importing process.

# geli status
   Name  Status  Components
da1.eli  ACTIVE  da1


You said that ZFS and GELI are not thigtly integrated. But is that possible
detaching and making inaccessible da1.eli device or making offline ZFS pool
temporarily until attached properly with entering passphrase again for
making accessible on mount point /opt (ZFS Pool) for this case ?

Finally, I can create a script which will be working like a charm. I'm
really curios about creating encrypted ZFS pool(for opt) with attaching and
detaching capabilities. I guess that I'm doing an error on steps or logical
mistake. Could you please help me to handle this issue or steps ?

Thanks in advance
Sincerely


2012/6/21 Fabian Keil <freebsd-listen@fabiankeil.de>

> icameto icameto <icameto@gmail.com> wrote:
>
> > I have some problems with ZFS encryption and GELI. I used ZFS for /opt
> > partition(da1.eli which is encrypted form of seperate  da1 disk ).  And I
> > want to encrypt the /opt partition by using GELI. My disks states' like
> > below
> >
> > *# kldstat*
> > Id Refs Address            Size     Name
> >  1   15 0xffffffff80100000 c9fe20   kernel
> >  2    1 0xffffffff80da0000 1ad0e0   zfs.ko
> >  3    2 0xffffffff80f4e000 3a68     opensolaris.ko
> >  4    1 0xffffffff80f52000 1cdc0    geom_eli.ko
> >  5    2 0xffffffff80f6f000 2b0b8    crypto.ko
> >  6    2 0xffffffff80f9b000 dc40     zlib.ko
> >
> >
> > *# cat /etc/rc.conf | grep  geli *
> > geli_devices="da1"
> > geli_da1_flags="-k /root/da1.key"
> > #geli_detach="NO"
> >
> >
> > *# zpool status*
> >   pool: opt
> >  state: ONLINE
> >  scrub: none requested
> > config:
> >
> >     NAME        STATE     READ WRITE CKSUM
> >     opt         ONLINE       0     0     0
> >       da1.eli   ONLINE       0     0     0
> >
> > errors: No known data errors
> >
> > *# geli status*
> >    Name  Status  Components
> > da1.eli  ACTIVE  da1
> >
> > *# df -h*
> > Filesystem     Size    Used   Avail Capacity  Mounted on
> > /dev/da0s1a    9.7G    280M    8.6G     3%    /
> > devfs          1.0K    1.0K      0B   100%    /dev
> > /dev/da0s1d     15G    734M     14G     5%    /usr
> > opt            7.8G    120K    7.8G     0%    /opt
> >
> >
> > *# geli detach da1.eli*
> > geli: Cannot destroy device da1.eli (error=16).
> >
> > *# zfs unmount -a*
> >
> > *# df -h*
> > Filesystem     Size    Used   Avail Capacity  Mounted on
> > /dev/da0s1a    9.7G    280M    8.6G     3%    /
> > devfs          1.0K    1.0K      0B   100%    /dev
> > /dev/da0s1d     15G    734M     14G     5%    /usr
> >
> > *# geli detach da1.eli*
> > geli: Cannot destroy device da1.eli (error=16).
>
> This doesn't work because the pool is still imported.
> Try running "zpool export opt" first, it will automatically
> unmount the datasets so you can skip the "zfs unmount -a".
>
> > When I use "zfs mount -a" command there must be prompted for entering
> > passphrase, but it immediately mounted by zfs without prompting anything.
>
> As the pool hasn't been exported, that's the expected behaviour.
>
> Also note that ZFS and geli are not tightly integrated so
> "zfs mount -a" will never setup the geli provider for you.
>
> > *# zfs mount -a*
> >
> > *# df -h*
> > Filesystem     Size    Used   Avail Capacity  Mounted on
> > /dev/da0s1a    9.7G    280M    8.6G     3%    /
> > devfs          1.0K    1.0K      0B   100%    /dev
> > /dev/da0s1d     15G    734M     14G     5%    /usr
> > opt            7.8G    120K    7.8G     0%    /opt
> >
> >
> > But i want to be able to detach encrypted device and remove that from
> > zpool as cannot access by anyone. But I got an error when i try to
> > detach the device (opt partition) . And I can still access the disk on
> > ZFS pool. Isn't it strange buddies ?
> >
> > Briefly, Is there any solution to detach and unmount encrypted disk for
> > only /opt partition(which is in ZFS Pool). Could you please give me
> > advice on this progress ?
>
> I'm not aware of a mechanism in FreeBSD's base system that does
> this automatically, but doing it manually (or with a script) should
> work.
>
> Fabian
>