From owner-freebsd-questions@freebsd.org  Wed Jun  1 19:44:53 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28213B60601
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed,  1 Jun 2016 19:44:53 +0000 (UTC)
 (envelope-from dpchrist@holgerdanske.com)
Received: from holgerdanske.com (holgerdanske.com [184.105.128.27])
 by mx1.freebsd.org (Postfix) with SMTP id 1CF2C11AA
 for <freebsd-questions@freebsd.org>; Wed,  1 Jun 2016 19:44:53 +0000 (UTC)
 (envelope-from dpchrist@holgerdanske.com)
Received: from ::ffff:99.100.19.101 ([99.100.19.101]) by holgerdanske.com
 for <freebsd-questions@freebsd.org>; Wed, 1 Jun 2016 12:44:45 -0700
Subject: Re: Striped mirror raid10
To: freebsd-questions@freebsd.org
References: <d1d66292-c6be-a26c-4d0b-809fa96e1792@bananmonarki.se>
 <86lh2okd0b.fsf@WorkBox.Home>
From: David Christensen <dpchrist@holgerdanske.com>
Message-ID: <574F3B3C.4010206@holgerdanske.com>
Date: Wed, 1 Jun 2016 12:45:00 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Icedove/38.8.0
MIME-Version: 1.0
In-Reply-To: <86lh2okd0b.fsf@WorkBox.Home>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2016 19:44:53 -0000

On 06/01/2016 10:57 AM, Brandon J. Wandersee wrote:
>
> Bernt Hansson writes:
>
>> Hello list!
>>
>> I have set up a striped mirror;
>>
>> root@testbox:~ # gmirror status
>>              Name    Status  Components
>> mirror/gmirror0  COMPLETE  ada0 (ACTIVE)
>>                              ada1 (ACTIVE)
>> mirror/gmirror1  COMPLETE  ada2 (ACTIVE)
>>                              ada3 (ACTIVE)
>> root@testbox:~ # gstripe status
>>             Name  Status  Components
>> stripe/stripe0      UP  mirror/gmirror0
>>                           mirror/gmirror1
>>
>> /dev/stripe/stripe0           1.8T    4.0K    1.8T     0% /raid10
>>
>> Now I want to encrypt it, but is that wise? I mean you can remove a
>> disk from the mirror, won't that break the encryption? And the
>> mirror/stripe.
>
> Encrypt the disks/partitions themselves, not the stripe or mirror. You
> can then create mirrors of the resulting *.eli device nodes, then create
> a stripe from the mirrors. You can unlock the disks/partitions at boot
> thus:
>
> 1) First, run `geli configure -b <disk/partition>` on each encrypted
>     disk/partition, so you will be prompted for the passphrase for each
>     encrypted partition during boot.
> 2) Next, add the line 'geom_eli_passphrase_prompt=YES' to the file
>     /boot/loader.conf. This will add a passphrase prompt the boot menu,
>     allowing you to enter the passphrase for the disks one time only,
>     before the boot process begins.

I would think that you would want to encrypt one virtual device, rather 
than two physical devices, so that the CPU only has to deal with one 
encryption layer, not two encryption layers.


With the encryption on top of the mirror: if one physical device fails, 
the cyphertext on the other physical drive will still exist and the 
virtual device will still provide plaintext.  When the failed drive is 
replaced, it will be resilvered using the cyphertext from the good 
physical drive.


David