Date: Sat, 17 Apr 2021 14:06:15 -0600 From: Alan Somers <asomers@freebsd.org> To: Pete French <petefrench@ingresso.co.uk> Cc: FreeBSD Stable Mailing List <freebsd-stable@freebsd.org> Subject: Re: geli - is it better to partition then encrypt, or vice versa ? Message-ID: <CAOtMX2gqr9_0UXzLxrtmsBiodGO2oHKYyuvZysCpSdzD%2BqZpAg@mail.gmail.com> In-Reply-To: <c2905507-ea7b-a0ba-a167-8835f600f040@ingresso.co.uk> References: <c2905507-ea7b-a0ba-a167-8835f600f040@ingresso.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 17, 2021 at 1:53 PM Pete French <petefrench@ingresso.co.uk> wrote: > So, am building a zpool on some encrypted discs - and what I have done > is to partition the disc with GPT add a single big partition, and > encrypt that. So the pool is on nda1p1.eli. > > But I could, of course, encrypt the disc first, and then partition the > encrypted disc, or indded just put the zpool directly onto it. > > Just wondering what the general consensus is as to the best way to go > here ... if there is one! :-) What do other people do ? > > -pete. > The answer depends on why you want to partition in the first place. What do you intend to store on those disks besides ZFS? If the answer is nothing, then don't bother partitioning; just write ZFS over GELI over the whole disk. (Also, it's worth asking why you want GELI, now that FreeBSD 13 supports ZFS native crypto. ZFS native crypto on RAIDZ has substantially better write performance than RAIDZ on GELI. However, if you're paranoid, then GELI does provide better security; ZFS native crypto is vulnerable to some kinds of watermarking attacks.)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2gqr9_0UXzLxrtmsBiodGO2oHKYyuvZysCpSdzD%2BqZpAg>