Date: Wed, 23 Sep 2009 10:33:13 +0200 From: "Evgeny Solovyov" <a.n.s.i@gmx.net> To: Pete French <petefrench@ticketswitch.com>, freebsd-geom@freebsd.org Subject: Re: geom_eli, N disks, zfs Message-ID: <20090923083313.55390@gmx.net> In-Reply-To: <E1Mq2jy-000Gq4-DV@dilbert.ticketswitch.com> References: <E1Mq2jy-000Gq4-DV@dilbert.ticketswitch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Is there any better way to configure a system to encrypt N-disk with > passphrase for using under zfs as write in loader.conf following: > > I use a very short separate partition as the keyfile, decrypt that > once and then use it to decrypt the others. My rc.conf looks like > this: > > geli_autodetach="NO" > geli_devices="ad4s1e ad6 ad8" > geli_ad6_flags="-p -k /dev/ad4s1e.eli" > geli_ad8_flags="-p -k /dev/ad4s1e.eli" > > which is a bit shorter than yours :-) ad4s1 is 5 sectors (i.e. 2560 > bytes) hence ad4s1.eli is 2048 bytes. I initialised it with random > data before encrypting the other discs and I keep a backup of > the 4 sectors elsewhere just in case... > Yes, it will be one solution. But your setup we must mount root-fs first to read rc.conf, then we can attach disk to initialize ZFS volume. Or? But what about zfs-only system with one zpool using all N-disks? I think it will be better if geom_eli remembers first-typed passphrase and tries it for all disks at least ones. In 99% we use the same passphrase for all disks. Don't we? Then we don't have to worry about small 5-sectors 'magic' partition. For my installation I use boot-cd. It has only boot dir with keys and loader.conf like this: geom_eli_load="YES" geli_da0p1_keyfile0_load="YES" geli_da0p1_keyfile0_type="da0p1:geli_keyfile0" geli_da0p1_keyfile0_name="/boot/keys/da0.key" geli_da1p1_keyfile0_load="YES" geli_da1p1_keyfile0_type="da1p1:geli_keyfile0" geli_da1p1_keyfile0_name="/boot/keys/da1.key" .... geli_da9p1_keyfile0_load="YES" geli_da9p1_keyfile0_type="da9p1:geli_keyfile0" geli_da9p1_keyfile0_name="/boot/keys/da9.key" zfs_load="YES" vfs.root.mountfrom="zfs:tank" Yes it is not comfortable my be stupid to type passphrase 10 times :) But with good uptime its bearable. Advantage of that installation is I have to care only about make a copy of boot-cd :) Sorry for my terrible English. Thanks. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090923083313.55390>