From owner-freebsd-geom@freebsd.org Mon Nov 19 02:27:25 2018 Return-Path: Delivered-To: freebsd-geom@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 609B01130722 for ; Mon, 19 Nov 2018 02:27:25 +0000 (UTC) (envelope-from coco@executive-computing.de) Received: from mail.moehre.org (mail.moehre.org [195.96.35.7]) by mx1.freebsd.org (Postfix) with ESMTP id 6D7D67C699 for ; Mon, 19 Nov 2018 02:27:24 +0000 (UTC) (envelope-from coco@executive-computing.de) Received: from mail.moehre.org (unknown [195.96.35.7]) by mail.moehre.org (Postfix) with ESMTP id 1465B346E1; Sun, 18 Nov 2018 17:06:07 +0100 (CET) X-Spam-Flag: NO X-Spam-Score: -100.825 X-Spam-Level: X-Spam-Status: No, score=-100.825 tagged_above=-999 required=5 tests=[ALL_TRUSTED=-1, AWL=0.098, TW_ZF=0.077, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mail.moehre.org ([195.96.35.7]) by mail.moehre.org (mail.moehre.org [195.96.35.7]) (amavisd-new, port 10024) with ESMTP id YKSu5x9E1z6x; Sun, 18 Nov 2018 17:06:06 +0100 (CET) Received: from bsdbuch.c0c0.intra (p54BEC3C8.dip0.t-ipconnect.de [84.190.195.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: coco@executive-computing.de) by mail.moehre.org (Postfix) with ESMTPSA id 6D8C5346D8; Sun, 18 Nov 2018 17:06:06 +0100 (CET) Date: Sun, 18 Nov 2018 17:06:15 +0100 From: Marco Steinbach To: "Kevin P. Neal" Cc: freebsd-geom@freebsd.org Subject: Re: eli encrypted providers for zfs raidz1 Message-ID: <20181118170615.6ccc920d@bsdbuch.c0c0.intra> In-Reply-To: <20181118060011.GA94938@neutralgood.org> References: <20181116231809.40a8f74c@bsdbuch.c0c0.intra> <20181117230809.428ed59a@bsdbuch.c0c0.intra> <20181118060011.GA94938@neutralgood.org> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; amd64-portbld-freebsd11.2) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 6D7D67C699 X-Spamd-Result: default: False [-0.54 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.79)[-0.785,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_SPAM_SHORT(0.46)[0.457,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[executive-computing.de]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[mail.moehre.org]; RCPT_COUNT_TWO(0.00)[2]; RCVD_NO_TLS_LAST(0.10)[]; RECEIVED_SPAMHAUS_PBL(0.00)[200.195.190.84.zen.spamhaus.org : 127.0.0.10]; R_DKIM_NA(0.00)[]; IP_SCORE(-0.00)[country: DE(-0.01)]; ASN(0.00)[asn:8354, ipnet:195.96.32.0/19, country:DE]; FROM_EQ_ENVFROM(0.00)[] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2018 02:27:25 -0000 On Sun, 18 Nov 2018 01:00:11 -0500 "Kevin P. Neal" wrote: > On Sat, Nov 17, 2018 at 11:08:09PM +0100, Marco Steinbach wrote: > > I think I'll start by looking at how encrpyted swap is mounted -- > > since, oddly, I have 11.2 occassionally ask me again for the eli > > swap providers passphrase during boot from a encrypted zroot. The > > system was installed using the encrypted swap and zroot option of > > the installer. > > I thought encrypted swap was considered not a good idea. Am I wrong > that it can, in some circumstances, result in deadlocks in low RAM > situations? > Putting swap on an encrypted ZVOL might end the system up in a deadlock according to https://wiki.freebsd.org/ZFSQuickStartGuide -- I am running my swap of off a separate swap partition. For reference, I also wanted crashdumps to work with my encrypted swap partition, and was pleasantly surprised by that all I needed to do was add 'late' to the eli swap fstab entries options, and then point dumpdev to the underlying partition. I panicked the system using debug.kdb.panic, and after rebooting, my crashdump sat in /var/crash. Since this leaks a lot of unencrypted information to the swap partition, I'll only enable this, if I really need it. MfG CoCo