Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Jun 2012 13:14:43 +0200
From:      Fabian Keil <freebsd-listen@fabiankeil.de>
To:        icameto icameto <icameto@gmail.com>
Cc:        freebsd-fs@freebsd.org
Subject:   Re: ZFS Encryption with GELI for only /opt partition
Message-ID:  <20120621131443.59eb24f3@fabiankeil.de>
In-Reply-To: <CAMve_NNwowTXS0m58AhQvFvDyg4W-pAoEj72zUMAARhfgStUBw@mail.gmail.com>
References:  <CAMve_NNwowTXS0m58AhQvFvDyg4W-pAoEj72zUMAARhfgStUBw@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/A3NqNJB+DRq4WPzstOOYdy0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

icameto icameto <icameto@gmail.com> wrote:

> I have some problems with ZFS encryption and GELI. I used ZFS for /opt
> partition(da1.eli which is encrypted form of seperate  da1 disk ).  And I
> want to encrypt the /opt partition by using GELI. My disks states' like
> below
>=20
> *# kldstat*
> Id Refs Address            Size     Name
>  1   15 0xffffffff80100000 c9fe20   kernel
>  2    1 0xffffffff80da0000 1ad0e0   zfs.ko
>  3    2 0xffffffff80f4e000 3a68     opensolaris.ko
>  4    1 0xffffffff80f52000 1cdc0    geom_eli.ko
>  5    2 0xffffffff80f6f000 2b0b8    crypto.ko
>  6    2 0xffffffff80f9b000 dc40     zlib.ko
>=20
>=20
> *# cat /etc/rc.conf | grep  geli *
> geli_devices=3D"da1"
> geli_da1_flags=3D"-k /root/da1.key"
> #geli_detach=3D"NO"
>=20
>=20
> *# zpool status*
>   pool: opt
>  state: ONLINE
>  scrub: none requested
> config:
>=20
>     NAME        STATE     READ WRITE CKSUM
>     opt         ONLINE       0     0     0
>       da1.eli   ONLINE       0     0     0
>=20
> errors: No known data errors
>=20
> *# geli status*
>    Name  Status  Components
> da1.eli  ACTIVE  da1
>=20
> *# df -h*
> Filesystem     Size    Used   Avail Capacity  Mounted on
> /dev/da0s1a    9.7G    280M    8.6G     3%    /
> devfs          1.0K    1.0K      0B   100%    /dev
> /dev/da0s1d     15G    734M     14G     5%    /usr
> opt            7.8G    120K    7.8G     0%    /opt
>=20
>=20
> *# geli detach da1.eli*
> geli: Cannot destroy device da1.eli (error=3D16).
>=20
> *# zfs unmount -a*
>=20
> *# df -h*
> Filesystem     Size    Used   Avail Capacity  Mounted on
> /dev/da0s1a    9.7G    280M    8.6G     3%    /
> devfs          1.0K    1.0K      0B   100%    /dev
> /dev/da0s1d     15G    734M     14G     5%    /usr
>=20
> *# geli detach da1.eli*
> geli: Cannot destroy device da1.eli (error=3D16).

This doesn't work because the pool is still imported.
Try running "zpool export opt" first, it will automatically
unmount the datasets so you can skip the "zfs unmount -a".

> When I use "zfs mount -a" command there must be prompted for entering
> passphrase, but it immediately mounted by zfs without prompting anything.

As the pool hasn't been exported, that's the expected behaviour.

Also note that ZFS and geli are not tightly integrated so
"zfs mount -a" will never setup the geli provider for you.

> *# zfs mount -a*
>=20
> *# df -h*
> Filesystem     Size    Used   Avail Capacity  Mounted on
> /dev/da0s1a    9.7G    280M    8.6G     3%    /
> devfs          1.0K    1.0K      0B   100%    /dev
> /dev/da0s1d     15G    734M     14G     5%    /usr
> opt            7.8G    120K    7.8G     0%    /opt
>=20
>=20
> But i want to be able to detach encrypted device and remove that from
> zpool as cannot access by anyone. But I got an error when i try to
> detach the device (opt partition) . And I can still access the disk on
> ZFS pool. Isn't it strange buddies ?
>=20
> Briefly, Is there any solution to detach and unmount encrypted disk for
> only /opt partition(which is in ZFS Pool). Could you please give me
> advice on this progress ?

I'm not aware of a mechanism in FreeBSD's base system that does
this automatically, but doing it manually (or with a script) should
work.

Fabian

--Sig_/A3NqNJB+DRq4WPzstOOYdy0
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAk/jAikACgkQBYqIVf93VJ1p9wCfXS/RXW3h6tcjyPKSGMtxkpWq
l7sAoJVlpYCuSZt9MOPqWTqc1uK7R7pm
=qN5i
-----END PGP SIGNATURE-----

--Sig_/A3NqNJB+DRq4WPzstOOYdy0--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120621131443.59eb24f3>