Date: Tue, 27 Feb 2007 16:14:08 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Christian Baer <christian.baer@uni-dortmund.de> Cc: freebsd-geom@freebsd.org Subject: Re: geli mirror with -a won't format Message-ID: <20070227151407.GA31115@garage.freebsd.pl> In-Reply-To: <es1b9n$297j$1@nermal.rz1.convenimus.net> References: <es1b9n$297j$1@nermal.rz1.convenimus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--DocE+STaALJfprDB Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 27, 2007 at 02:21:59PM +0100, Christian Baer wrote: > Hello there, peeps! >=20 > I have been trying to create a filesystem for paranoid people like > myself. :-) What I want to make is this: >=20 > - mirror (two partitions with gmirror) > - geli with -a on that >=20 > I am not expecting anyone to manipulate my system. My data is far too > unimportant (to other people) for that. But the file systems will > contain stuff that is *very* important to me and I am hoping that -a > will give me an early warning if the data becomes corrupt due to > hardware failure. If I got the whole thing with -a wrong, then *my* > problem is solved, as I won't be using -a. :-) But it could very well be > an issue for other people. >=20 > The commands I used are these (with the replies from the system): >=20 > sunny# geli init -v -s 4096 -K - -a HMAC/SHA256 -e blowfish -l 448 -P /= dev/mirror/home > Metadata value stored on /dev/mirror/home. > Done. > sunny# geli attach -v -p -k - /dev/mirror/home > Attched to /dev/mirror/home. > Done. >=20 > Note: The keyfile in both cases is created by a script and piped to geli. >=20 > Now strangely, this looks ok so far. But it isn't. :-/ If I use the init > without the -a I get this in /var/log/messages: >=20 > kernel: GEOM_ELI: Device mirror/home.eli created. > kernel: GEOM_ELI: Encryption: Blowfish-CBC 448 > kernel: GEOM_ELI: Crypto: software >=20 > I can do a newfs, mount the provider and work with it. That all stops > when I activate authentication when initialising the provider (as shown > in the comman above). /var/log/messages gets really messy then: >=20 > kernel: GEOM_ELI: Device mirror/home.eli created. > kernel: GEOM_ELI: Encryption: Blowfish-CBC 448 > kernel: GEOM_ELI: Integrity: HMAC/SHA256 > kernel: GEOM_ELI: Crypto: software > kernel: GEOM_ELI: mirror/home.eli: > kernel: 4096 bytes corrupte > kernel: d at offset [...] When you only setup data authentication, geli expect authenticated data =66rom now on, but the data is not yet "signed". Try clearing disk first by doing: # dd if=3D/dev/zero of=3D/dev/mirror/home.eli bs=3D1m (you probably don't need to clear entire disk, but I don't want to guess which sectors exactly) It is better to use /dev/random instead of /dev/zero, but probably slower. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF5Eq/ForvXbEpPzQRAq4QAJ0X7pulhe+4QoF+qym1ZHUkgQKxuwCg0kAO PprY2SVUBarkTAIU4/Lo3SM= =yJIM -----END PGP SIGNATURE----- --DocE+STaALJfprDB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070227151407.GA31115>