Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 1 Jun 2016 12:45:00 -0700
From:      David Christensen <dpchrist@holgerdanske.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Striped mirror raid10
Message-ID:  <574F3B3C.4010206@holgerdanske.com>
In-Reply-To: <86lh2okd0b.fsf@WorkBox.Home>
References:  <d1d66292-c6be-a26c-4d0b-809fa96e1792@bananmonarki.se> <86lh2okd0b.fsf@WorkBox.Home>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 06/01/2016 10:57 AM, Brandon J. Wandersee wrote:
>
> Bernt Hansson writes:
>
>> Hello list!
>>
>> I have set up a striped mirror;
>>
>> root@testbox:~ # gmirror status
>>              Name    Status  Components
>> mirror/gmirror0  COMPLETE  ada0 (ACTIVE)
>>                              ada1 (ACTIVE)
>> mirror/gmirror1  COMPLETE  ada2 (ACTIVE)
>>                              ada3 (ACTIVE)
>> root@testbox:~ # gstripe status
>>             Name  Status  Components
>> stripe/stripe0      UP  mirror/gmirror0
>>                           mirror/gmirror1
>>
>> /dev/stripe/stripe0           1.8T    4.0K    1.8T     0% /raid10
>>
>> Now I want to encrypt it, but is that wise? I mean you can remove a
>> disk from the mirror, won't that break the encryption? And the
>> mirror/stripe.
>
> Encrypt the disks/partitions themselves, not the stripe or mirror. You
> can then create mirrors of the resulting *.eli device nodes, then create
> a stripe from the mirrors. You can unlock the disks/partitions at boot
> thus:
>
> 1) First, run `geli configure -b <disk/partition>` on each encrypted
>     disk/partition, so you will be prompted for the passphrase for each
>     encrypted partition during boot.
> 2) Next, add the line 'geom_eli_passphrase_prompt=YES' to the file
>     /boot/loader.conf. This will add a passphrase prompt the boot menu,
>     allowing you to enter the passphrase for the disks one time only,
>     before the boot process begins.

I would think that you would want to encrypt one virtual device, rather 
than two physical devices, so that the CPU only has to deal with one 
encryption layer, not two encryption layers.


With the encryption on top of the mirror: if one physical device fails, 
the cyphertext on the other physical drive will still exist and the 
virtual device will still provide plaintext.  When the failed drive is 
replaced, it will be resilvered using the cyphertext from the good 
physical drive.


David

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?574F3B3C.4010206>