Date: Fri, 10 Jun 2011 07:31:27 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Robert Simmons <rsimmons0@gmail.com> Cc: freebsd-geom@freebsd.org Subject: Re: data integrity verification using geli Message-ID: <20110610053127.GB2433@garage.freebsd.pl> In-Reply-To: <BANLkTinmOe93JAASXVLRssxVk1evPngX=A@mail.gmail.com> References: <BANLkTinmOe93JAASXVLRssxVk1evPngX=A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Thu, Jun 09, 2011 at 10:51:18PM -0400, Robert Simmons wrote: > Does data integrity verification work if I encrypt a partition using > geli(8)? When I created a provider, I just happened to peek at the > dmesg and I noticed a large number of errors reported after creating > the eli device. All are variations of the following: > GEOM_ELI: ad6p4.eli: 512 bytes corrupted at offset 3221224960 > GEOM_ELI: ad6p4.eli: 8192 bytes corrupted at offset 65536 This is because the data is not yet initialized. You have some random data that surely are not properly signed. In the example section of geli(8) manual page you can find that there is a step to initialize the provider's data: # dd if=/dev/random of=/dev/da0.eli bs=1m This way GELI has a chance to sign all the blocks. I guess it would be good to advise this step after 'geli init' the same way we inform about backups. -- Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://yomoli.com [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk3xrC8ACgkQForvXbEpPzS25wCdHYDYBDgPAjpfqj9vY5m5zuF3 ycwAoPLUd18Gs5if9nCw0hDqwux2dLZC =h3NO -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110610053127.GB2433>