Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 7 Mar 2012 17:48:50 +0100
From:      Fabian Keil <freebsd-listen@fabiankeil.de>
To:        "xenophon\\+freebsd" <xenophon+freebsd@irtnog.org>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: FreeBSD root on a geli-encrypted ZFS pool
Message-ID:  <20120307174850.746a6b0a@fabiankeil.de>
In-Reply-To: <BABF8C57A778F04791343E5601659908236BD9@cinip100ntsbs.irtnog.net>
References:  <BABF8C57A778F04791343E5601659908236BD9@cinip100ntsbs.irtnog.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
--Sig_/97pCo_tkLdsB6o.JsP4uk2a
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

"xenophon\\+freebsd" <xenophon+freebsd@irtnog.org> wrote:

> I have posted revised instructions for installing FreeBSD to an
> encrypted ZFS pool on my blog:
>=20
> https://web.irtnog.org/~xenophon/blog/revised-freebsd-root-zfs-geli
>=20
> The entire procedure is documented in a way suitable for scripting.  I
> would be very interested in the community's feedback.

It's not clear to me why you enable geli integrity verification.

Given that it is single-sector-based it seems inferior to ZFS's
integrity checks in every way and could actually prevent ZFS from
properly detecting (and depending on the pool layout correcting)
checksum errors itself.

I'm also wondering if you actually benchmarked the difference
between HMAC/MD5 and HMAC/SHA256. Unless the difference can
be easily measured, I'd probably stick with the recommendation.

I would also be interested in benchmarks that show that geli(8)'s
recommendation to increase geli's block size to 4096 bytes makes
sense for ZFS. Is anyone aware of any?

Fabian

--Sig_/97pCo_tkLdsB6o.JsP4uk2a
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk9XkXsACgkQBYqIVf93VJ3EbwCgmVtNA0onvXR17fHKi/h1yGhQ
CsIAnirIFlGX8vv+TnFCYp/fBTGu9dgG
=3xak
-----END PGP SIGNATURE-----

--Sig_/97pCo_tkLdsB6o.JsP4uk2a--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120307174850.746a6b0a>