From owner-freebsd-geom@FreeBSD.ORG Wed Sep 23 08:33:18 2009 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63E6B106566C for ; Wed, 23 Sep 2009 08:33:18 +0000 (UTC) (envelope-from a.n.s.i@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id C61878FC13 for ; Wed, 23 Sep 2009 08:33:17 +0000 (UTC) Received: (qmail 23988 invoked by uid 0); 23 Sep 2009 08:33:15 -0000 Received: from 91.52.152.161 by www052.gmx.net with HTTP; Wed, 23 Sep 2009 10:33:13 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Wed, 23 Sep 2009 10:33:13 +0200 From: "Evgeny Solovyov" In-Reply-To: Message-ID: <20090923083313.55390@gmx.net> MIME-Version: 1.0 References: To: Pete French , freebsd-geom@freebsd.org X-Authenticated: #30170983 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1+Un10gfDiUh9sS6cfV5JVyMvud7f4lF0Pr5DuQb5 RxwWE8pImk4lEqXJxXmXf1f5nGyq4xJ4Bpvw== Content-Transfer-Encoding: 8bit X-GMX-UID: L6zQJdEtMydhYDAKpmtlB+djaGRhZtpH X-FuHaFi: 0.57 Cc: Subject: Re: geom_eli, N disks, zfs X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Sep 2009 08:33:18 -0000 > > Is there any better way to configure a system to encrypt N-disk with > passphrase for using under zfs as write in loader.conf following: > > I use a very short separate partition as the keyfile, decrypt that > once and then use it to decrypt the others. My rc.conf looks like > this: > > geli_autodetach="NO" > geli_devices="ad4s1e ad6 ad8" > geli_ad6_flags="-p -k /dev/ad4s1e.eli" > geli_ad8_flags="-p -k /dev/ad4s1e.eli" > > which is a bit shorter than yours :-) ad4s1 is 5 sectors (i.e. 2560 > bytes) hence ad4s1.eli is 2048 bytes. I initialised it with random > data before encrypting the other discs and I keep a backup of > the 4 sectors elsewhere just in case... > Yes, it will be one solution. But your setup we must mount root-fs first to read rc.conf, then we can attach disk to initialize ZFS volume. Or? But what about zfs-only system with one zpool using all N-disks? I think it will be better if geom_eli remembers first-typed passphrase and tries it for all disks at least ones. In 99% we use the same passphrase for all disks. Don't we? Then we don't have to worry about small 5-sectors 'magic' partition. For my installation I use boot-cd. It has only boot dir with keys and loader.conf like this: geom_eli_load="YES" geli_da0p1_keyfile0_load="YES" geli_da0p1_keyfile0_type="da0p1:geli_keyfile0" geli_da0p1_keyfile0_name="/boot/keys/da0.key" geli_da1p1_keyfile0_load="YES" geli_da1p1_keyfile0_type="da1p1:geli_keyfile0" geli_da1p1_keyfile0_name="/boot/keys/da1.key" .... geli_da9p1_keyfile0_load="YES" geli_da9p1_keyfile0_type="da9p1:geli_keyfile0" geli_da9p1_keyfile0_name="/boot/keys/da9.key" zfs_load="YES" vfs.root.mountfrom="zfs:tank" Yes it is not comfortable my be stupid to type passphrase 10 times :) But with good uptime its bearable. Advantage of that installation is I have to care only about make a copy of boot-cd :) Sorry for my terrible English. Thanks. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01