From owner-freebsd-fs@FreeBSD.ORG Thu Jun 21 09:07:22 2012 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B175E106566B for ; Thu, 21 Jun 2012 09:07:22 +0000 (UTC) (envelope-from icameto@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 440768FC0C for ; Thu, 21 Jun 2012 09:07:22 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id ds11so356537wgb.31 for ; Thu, 21 Jun 2012 02:07:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=zS/FS3gJRcAgV85DgnFXmlNq72YAbyr3P4+g0BFum1o=; b=xTzuxal2/hrV+PJYLZt1u9qNokLlAUBvxh049T989bEBOUiJugRIRnjM2dVEouVj6T zCwdTDLIOJ/ZaMTIKF15pMOHQj0sgxUV+My1ULRIr9CAIaPEYy1sSEoj1IUMufJhWymf 05LyTzZaXTGsJNPGTSocNiVGdLZCog1Oeyppm/94qMHxpm2gzTWtLR2cwOSSs0UqcEig baxI3vJVQfBi/ubTpXrdVPctYSAjjQrtuSoZrDDL9rwYjdl+NkiRe/wiZ62WysT7ij6Y R/UXXQQQMetRJiJ0H07iShKt2YSWo3Ogqka06ZfLXq4oj0UG5GANm3q1KZKwrLEUf+/C vj0Q== MIME-Version: 1.0 Received: by 10.180.105.6 with SMTP id gi6mr505647wib.4.1340269641875; Thu, 21 Jun 2012 02:07:21 -0700 (PDT) Received: by 10.216.224.228 with HTTP; Thu, 21 Jun 2012 02:07:21 -0700 (PDT) Date: Thu, 21 Jun 2012 12:07:21 +0300 Message-ID: From: icameto icameto To: freebsd-fs@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ZFS Encryption with GELI for only /opt partition X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jun 2012 09:07:22 -0000 Hi everyone, I have some problems with ZFS encryption and GELI. I used ZFS for /opt partition(da1.eli which is encrypted form of seperate da1 disk ). And I want to encrypt the /opt partition by using GELI. My disks states' like below *# kldstat* Id Refs Address Size Name 1 15 0xffffffff80100000 c9fe20 kernel 2 1 0xffffffff80da0000 1ad0e0 zfs.ko 3 2 0xffffffff80f4e000 3a68 opensolaris.ko 4 1 0xffffffff80f52000 1cdc0 geom_eli.ko 5 2 0xffffffff80f6f000 2b0b8 crypto.ko 6 2 0xffffffff80f9b000 dc40 zlib.ko *# cat /etc/rc.conf | grep geli * geli_devices="da1" geli_da1_flags="-k /root/da1.key" #geli_detach="NO" *# zpool status* pool: opt state: ONLINE scrub: none requested config: NAME STATE READ WRITE CKSUM opt ONLINE 0 0 0 da1.eli ONLINE 0 0 0 errors: No known data errors *# geli status* Name Status Components da1.eli ACTIVE da1 *# df -h* Filesystem Size Used Avail Capacity Mounted on /dev/da0s1a 9.7G 280M 8.6G 3% / devfs 1.0K 1.0K 0B 100% /dev /dev/da0s1d 15G 734M 14G 5% /usr opt 7.8G 120K 7.8G 0% /opt *# geli detach da1.eli* geli: Cannot destroy device da1.eli (error=16). *# zfs unmount -a* *# df -h* Filesystem Size Used Avail Capacity Mounted on /dev/da0s1a 9.7G 280M 8.6G 3% / devfs 1.0K 1.0K 0B 100% /dev /dev/da0s1d 15G 734M 14G 5% /usr *# geli detach da1.eli* geli: Cannot destroy device da1.eli (error=16). When I use "zfs mount -a" command there must be prompted for entering passphrase, but it immediately mounted by zfs without prompting anything. *# zfs mount -a* *# df -h* Filesystem Size Used Avail Capacity Mounted on /dev/da0s1a 9.7G 280M 8.6G 3% / devfs 1.0K 1.0K 0B 100% /dev /dev/da0s1d 15G 734M 14G 5% /usr opt 7.8G 120K 7.8G 0% /opt But i want to be able to detach encrypted device and remove that from zpool as cannot access by anyone. But I got an error when i try to detach the device (opt partition) . And I can still access the disk on ZFS pool. Isn't it strange buddies ? Briefly, Is there any solution to detach and unmount encrypted disk for only /opt partition(which is in ZFS Pool). Could you please give me advice on this progress ?