From owner-freebsd-geom@FreeBSD.ORG Tue Feb 27 15:15:26 2007 Return-Path: X-Original-To: freebsd-geom@freebsd.org Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1C59216A403 for ; Tue, 27 Feb 2007 15:15:26 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 5B82813C471 for ; Tue, 27 Feb 2007 15:15:25 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 3440B4569A; Tue, 27 Feb 2007 16:15:23 +0100 (CET) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id C67C545685; Tue, 27 Feb 2007 16:15:17 +0100 (CET) Date: Tue, 27 Feb 2007 16:14:08 +0100 From: Pawel Jakub Dawidek To: Christian Baer Message-ID: <20070227151407.GA31115@garage.freebsd.pl> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline In-Reply-To: X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-geom@freebsd.org Subject: Re: geli mirror with -a won't format X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Feb 2007 15:15:26 -0000 --DocE+STaALJfprDB Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 27, 2007 at 02:21:59PM +0100, Christian Baer wrote: > Hello there, peeps! >=20 > I have been trying to create a filesystem for paranoid people like > myself. :-) What I want to make is this: >=20 > - mirror (two partitions with gmirror) > - geli with -a on that >=20 > I am not expecting anyone to manipulate my system. My data is far too > unimportant (to other people) for that. But the file systems will > contain stuff that is *very* important to me and I am hoping that -a > will give me an early warning if the data becomes corrupt due to > hardware failure. If I got the whole thing with -a wrong, then *my* > problem is solved, as I won't be using -a. :-) But it could very well be > an issue for other people. >=20 > The commands I used are these (with the replies from the system): >=20 > sunny# geli init -v -s 4096 -K - -a HMAC/SHA256 -e blowfish -l 448 -P /= dev/mirror/home > Metadata value stored on /dev/mirror/home. > Done. > sunny# geli attach -v -p -k - /dev/mirror/home > Attched to /dev/mirror/home. > Done. >=20 > Note: The keyfile in both cases is created by a script and piped to geli. >=20 > Now strangely, this looks ok so far. But it isn't. :-/ If I use the init > without the -a I get this in /var/log/messages: >=20 > kernel: GEOM_ELI: Device mirror/home.eli created. > kernel: GEOM_ELI: Encryption: Blowfish-CBC 448 > kernel: GEOM_ELI: Crypto: software >=20 > I can do a newfs, mount the provider and work with it. That all stops > when I activate authentication when initialising the provider (as shown > in the comman above). /var/log/messages gets really messy then: >=20 > kernel: GEOM_ELI: Device mirror/home.eli created. > kernel: GEOM_ELI: Encryption: Blowfish-CBC 448 > kernel: GEOM_ELI: Integrity: HMAC/SHA256 > kernel: GEOM_ELI: Crypto: software > kernel: GEOM_ELI: mirror/home.eli: > kernel: 4096 bytes corrupte > kernel: d at offset [...] When you only setup data authentication, geli expect authenticated data =66rom now on, but the data is not yet "signed". Try clearing disk first by doing: # dd if=3D/dev/zero of=3D/dev/mirror/home.eli bs=3D1m (you probably don't need to clear entire disk, but I don't want to guess which sectors exactly) It is better to use /dev/random instead of /dev/zero, but probably slower. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF5Eq/ForvXbEpPzQRAq4QAJ0X7pulhe+4QoF+qym1ZHUkgQKxuwCg0kAO PprY2SVUBarkTAIU4/Lo3SM= =yJIM -----END PGP SIGNATURE----- --DocE+STaALJfprDB--