FreeBSD Mail Archives

Date:      Sat, 10 Mar 2012 11:03:34 -0500
From:      "Matthew X. Economou" <xenophon@irtnog.org>
To:        <freebsd-stable@freebsd.org>
Subject:   RE: FreeBSD root on a geli-encrypted ZFS pool
Message-ID:  <BABF8C57A778F04791343E5601659908236BDC@cinip100ntsbs.irtnog.net>
In-Reply-To: <20120309152253.17a108c2@fabiankeil.de>
References:  <BABF8C57A778F04791343E5601659908236BD9@cinip100ntsbs.irtnog.net><20120307174850.746a6b0a@fabiankeil.de><BABF8C57A778F04791343E5601659908236BDA@cinip100ntsbs.irtnog.net> <20120309152253.17a108c2@fabiankeil.de>


[-- Attachment #1 --]
Fabian Keil writes:

> In my opinion protecting ZFS's default checksums (which cover
> non-metadata as well) with GEOM_ELI is sufficient. I don't see
> what advantage additionally enabling GEOM_ELI's integrity
> verification offers.

I follow you now.  You may be right about the extra integrity checking
being redundant with ZFS. 

> Anyway, it's a test without file system so the ZFS overhead isn't
> measured. I wasn't entirely clear about it, but my assumption was
> that the ZFS overhead might be big enough to make the difference
> between HMAC/MD5 and HMAC/SHA256 a lot less significant.

Got it.  That also makes sense.  I'll put this on my to-test list. 

> I'm currently using sector sizes between 512 and 8192 so I'm not
> actually expecting technical problems, it's just not clear to me
> how much the sector size matters and if 4096 is actually the best
> value when using ZFS.

The geli(8) manual page claims that larger sector sizes lower the
overhead of GEOM_ELI keying initialization and encryption/decryption
steps by requiring fewer of these compute-intensive setup operations
per block.  You can think of it in terms of networking, where it makes
sense to re-use a TCP connection for multiple HTTP requests, because
for small HTTP requests, the bandwidth and latency caused by the TCP
three-way handshake overshadows the actual data transfer.

-- 
I FIGHT FOR THE USERS


[-- Attachment #2 --]
0�	*�H��
��0�10
	`�He0�	*�H��
��0��0���
'�J�0
	*�H��
0F10
	�&���,dnet10
	�&���,dirtnog10Uirtnog-root-ca0
120121220200Z
120918223956Z0��10
	�&���,dnet10
	�&���,dirtnog10U
MyBusiness10UUsers10USBSUsers10UMatthew X. Economou1"0 	*�H��
	xenophon@irtnog.org0��0
	*�H��
��0��������yw�x��xv-��4物.�4���aO@2�5N���i�C{�
�&� ���j��ѩm�'����w♛�
%��jm}	dxG�"�W��d���R	Ԕ
&�%'��N��
��?
���Z��4����0��0	+�7
User0)U%"0 
+�7
++0U�0D	*�H��
	7050*�H��
�0*�H��
�0+0
*�H��
0CU<0:�#
+�7�xenophon@irtnog.net�xenophon@irtnog.org0U�)�}�.�o]g�^��-�0U#0�����m9�{D�&P��7�0�?U�60�20�.��*��&���ldap:///CN=irtnog-root-ca,CN=cinip100ntsbs,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=irtnog,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint�=http://cinip100ntsbs.irtnog.net/CertEnroll/irtnog-root-ca.crl�(http://web.irtnog.org/irtnog-root-ca.crl0�[+�M0�I0��+0���ldap:///CN=irtnog-root-ca,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=irtnog,DC=net?cACertificate?base?objectClass=certificationAuthority0b+0�Vhttp://cinip100ntsbs.irtnog.net/CertEnroll/cinip100ntsbs.irtnog.net_irtnog-root-ca.crt04+0�(http://web.irtnog.org/irtnog-root-ca.crt0
	*�H��
�Gh����ư�n<� �E5���R�e9�!{*VFm��0f?����������_��;R�g�*:Y؞�'��֑�T��\�Jh�	#Œu.FX���d��n�S.[!��x^Y1�e��y`�M�S1h��-�13�F����*�-);ȖA��s�D8��K�2�ZǮ)����w*�S�׏M~��c	��gAX�9�ᕉ����x2D��k�b큋�`:��hW�R�E�0
eX����`T���b*��a |���]G�2[�����5�J���+ਁ�C�1
���Fk�B�6_ʝ�(J/��wY�l�}C��7���a�o��Y헀�G���	tJ����nP�/qg���R|Ŧ�k��]TI�yu�͸��.�P�)�[Z�W���Z������Ju����@�5t����\��:��\k`�U���!�I��y�����/H�|�v�Q��\��s����,�;m�epm�3�
 7p^�l|e͠2tM���@4�Gm0�T0�<�	Du�@���CQ(Ĥ��E0
	*�H��
0F10
	�&���,dnet10
	�&���,dirtnog10Uirtnog-root-ca0
070918223246Z
120918223956Z0F10
	�&���,dnet10
	�&���,dirtnog10Uirtnog-root-ca0�"0
	*�H��
�0�
������:~�.�*��S ӯ�r���햝	�ًj�oף���Z ��>�>@��"L���&��!��,���,���UAo��8�-Eh�����`�+2��g�[��G##��?�T�-��r����ǈek��(��1&@#�����8sS��
3���bK��&�\�U�^*�A��:�sWk���2U�[��B̸{)�/F�D�`pdu���oUL���Z�}� 3��[����
]�WD	��|�k�QKB:�r"�j=�_;u�VTN�3^\6K��r���b��J� ��mjcc��>��~ȩ��2N�{��ut�81u��<#9"�J��S�Oc�{i��u�`9�f�Rυ���x��	��s�}��t������n'y+ns*�o_��%��/��m����f߲@�����F�8f���{{��bc�{�[��>�5�'Ԥ��Y�0�Ϫ���<��Ӱl��8(��_jT��no����n=���Λ�6�|��z6����<0�80U�0U�0�0U����m9�{D�&P��7�0�?U�60�20�.��*��&�(http://web.irtnog.org/irtnog-root-ca.crl�=http://cinip100ntsbs.irtnog.net/CertEnroll/irtnog-root-ca.crl���ldap:///CN=irtnog-root-ca,CN=cinip100ntsbs,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=irtnog,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint0	+�70EU >0<0:	+�d0-0++http://web.irtnog.org/legal/cps0�[+�M0�I04+0�(http://web.irtnog.org/irtnog-root-ca.crt0b+0�Vhttp://cinip100ntsbs.irtnog.net/CertEnroll/cinip100ntsbs.irtnog.net_irtnog-root-ca.crt0��+0���ldap:///CN=irtnog-root-ca,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=irtnog,DC=net?cACertificate?base?objectClass=certificationAuthority0
	*�H��
�.{�L��7$���=(���5��82��EC|d��W���U��
=�'�U�M���ѝ@	a��	�w��6�b���T4�����.���-�q8��g��][BE�إ��~�wO6064���O��t%fk����[
[vQ9X:c7�*e���!]5������{Y!Ę�z������L�{R(ɭ���<JɅ��\��4��WH��s
�?{�F/g�tj�Xe�ð6)>��C?���Q,��Y�.et!�D.ߩ���fݢ��b�9���1 �7�3h�(o��2F'��[����x i�鄪�:�~�5V��������SQA��׮L����J�4ف�&/o)���������B�D���7�
\����1���r�^�k����s/h�6��SN<��t��
�A؎F��ᷥ�}������:�����縀y���
���0㸳��;Hm�[]�����p�FGDC�}r��K=�R"ƟYӋ����'��v8�UAW4X$9:cK�m�1�0�
0T0F10
	�&���,dnet10
	�&���,dirtnog10Uirtnog-root-ca
'�J�0
	`�He��0	*�H��
	1	*�H��
0	*�H��
	1
120310160334Z0O	*�H��
	1B@���^�i�ԃ�]��A�wz�lݼ��ΆD3�ta5d9{0̷n�!ڷ�$$�ɍO�q(��0c	+�71V0T0F10
	�&���,dnet10
	�&���,dirtnog10Uirtnog-root-ca
'�J�0e*�H��
	1V�T0F10
	�&���,dnet10
	�&���,dirtnog10Uirtnog-root-ca
'�J�0��	*�H��
	1��0��0	`�He*0	`�He0
*�H��
0	`�He0*�H��
�0+0
*�H��
@0
*�H��
(0	`�He0	`�He0	`�He0+0
*�H��
0
	*�H��
��w��o��n	fo����QbV���:N�4�ޙ7�5Ę;�������˸=�)�퉣�S�Q�"���3�?��s+��0Hr�����^C��ԯ����ě�dH�&n?����8��L���h���b��z

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BABF8C57A778F04791343E5601659908236BDC>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation