Date: Fri, 22 Jun 2012 12:18:40 +0200 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: icameto icameto <icameto@gmail.com> Cc: freebsd-fs@freebsd.org Subject: Re: ZFS Encryption with GELI for only /opt partition Message-ID: <20120622121840.14e4f958@fabiankeil.de> In-Reply-To: <CAMve_NPs2bYEH3u2cm9AMNVO7f3=EmP9fdqdKaHFe3O=QP0UKA@mail.gmail.com> References: <CAMve_NNwowTXS0m58AhQvFvDyg4W-pAoEj72zUMAARhfgStUBw@mail.gmail.com> <20120621131443.59eb24f3@fabiankeil.de> <CAMve_NPs2bYEH3u2cm9AMNVO7f3=EmP9fdqdKaHFe3O=QP0UKA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/g5ft0Am7ltUpxpYbTs7Aa_+ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable icameto icameto <icameto@gmail.com> wrote: > So much thanks Fabian, especially for yours quick answer and concern. I > run "zpool export opt" and I would like to explain it clearly. There > will be one disk which will be used for /opt partition as encrypted. > Previously in UFS I was able to detach the opt partition by using GEOM > BDE module via these steps. > * > # kldload geom_bde > # mkdir /etc/gbde > # gbde init /dev/ad0s1e -i -L /etc/gbde/ad0s1e.lock > # gbde attach /dev/ad0s1e -l /etc/gbde/ad0s1e.lock > # newfs -U -O2 /dev/ad0s1e.bde > # mkdir /encryptedfs > # mount /dev/ad0s1e.bde /encryptedfs > # gbde detach /dev/ad0s1e > # umount /encyrptedfs* Is the order of the last two commands correct? I have no experience with gdbe, but I would expect the detachment to fail if the device is still mounted. The man page seems to at least recommend that the file system is unmounted first as well: | Please notice that detaching an encrypted device | corresponds to physically removing it, do not forget | to unmount the file system first. > Briefly I want to be able to unmount and mount capabilities without > harming the datasets in pool of ZFS while using ZFS with GELI for > encyptioning purpose. And you know i m capable of unmount the > disk(da1.bde etc. ) from /opt mount point while I was using GEOM BDE. > When I unmounted this disk(da1.bde), I could use da1 for /opt mount > point without any data or dataset loosing . Maybe I misunderstand the last sentence, but I don't see how you can mount /opt on da1 directly without corrupting data previously written on da1.bde. > Dear Fabian, I have tried to exporting pool from ZFS, and you right that > now i can detach from pool. But when I tried to import the old "opt" > pool,I'm getting a warn "cannot import 'opt': no such pool available" > about importing process. >=20 > # geli status > Name Status Components > da1.eli ACTIVE da1 How did you recreate da1.eli after detaching it? Did you maybe initialize it again instead of simply attaching it? > You said that ZFS and GELI are not thigtly integrated. But is that > possible detaching and making inaccessible da1.eli device or making > offline ZFS pool temporarily until attached properly with entering > passphrase again for making accessible on mount point /opt (ZFS Pool) > for this case ? That's possible and a lot of people do it daily. I always put a label between geli and the external device as it makes scripting the import easier, but it should work without the label as well. > Finally, I can create a script which will be working like a charm. I'm > really curios about creating encrypted ZFS pool(for opt) with attaching > and detaching capabilities. I guess that I'm doing an error on steps or > logical mistake. Could you please help me to handle this issue or steps ? Without knowing the exact steps you took, I can't tell where the problem is. Could you post the complete list of commands you used to create da1.eli and the ZFS pool, how you exported and detached da1.eli and how you tried to import it again? Fabian --Sig_/g5ft0Am7ltUpxpYbTs7Aa_+ Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAk/kRoMACgkQBYqIVf93VJ0ndQCdH5gjXckaIWnPxWI8UXQDQXLv twQAnRYsUf3oRMHMvin+OwOa5SClVbvC =rJGj -----END PGP SIGNATURE----- --Sig_/g5ft0Am7ltUpxpYbTs7Aa_+--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120622121840.14e4f958>