Date: Sun, 18 Apr 2021 08:21:01 +0100 From: Pete French <petefrench@ingresso.co.uk> To: Alan Somers <asomers@freebsd.org> Cc: FreeBSD Stable Mailing List <freebsd-stable@freebsd.org> Subject: Re: geli - is it better to partition then encrypt, or vice versa ? Message-ID: <766cc473-9989-ca06-7365-ddacc2c28b63@ingresso.co.uk> In-Reply-To: <CAOtMX2gqr9_0UXzLxrtmsBiodGO2oHKYyuvZysCpSdzD%2BqZpAg@mail.gmail.com> References: <c2905507-ea7b-a0ba-a167-8835f600f040@ingresso.co.uk> <CAOtMX2gqr9_0UXzLxrtmsBiodGO2oHKYyuvZysCpSdzD%2BqZpAg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17/04/2021 21:06, Alan Somers wrote: > The answer depends on why you want to partition in the first place. > What do you intend to store on those disks besides ZFS? If the answer > is nothing, then don't bother partitioning; just write ZFS over GELI > over the whole disk. Well, actually thats exactly why I asked the question, because after having done it I thought "why have I bothered partitioning this?" - after all, I would not have done so if they were not encrypted! I think I got into the habit of always partitioning discs, back when using them raw was called "dangerously dedicated" - but that was, umm, a while ago shall we say ;-) Since ZFS arrived I havent used anything else, and when using ZFS I use the whole drive if I can. So yeah, was kind of looking at my own behaviour and doing a double take here... > (Also, it's worth asking why you want GELI, now that FreeBSD 13 supports > ZFS native crypto. ZFS native crypto on RAIDZ has substantially better > write performance than RAIDZ on GELI. However, if you're paranoid, then > GELI does provide better security; ZFS native crypto is vulnerable to > some kinds of watermarking attacks.) Well, am (this week at least) running FreeBSD 12. Plus I havent native ZFS encryption yet, and theres always a tendency to 'go with what you know well' when setting something up. I just use striping and mirroring, no raidz, but if it will improve the write performance, and if it requires a password during boot like geli does, then I will look into it when I get everything upgraded to 13. Hadnt even considered that, so thanks for the reminder - need to explore all the new stiuff in OpenZFS I guess! -pete.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?766cc473-9989-ca06-7365-ddacc2c28b63>