|
»
geom_eli, N disks, zfs
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
geom_eli, N disks, zfs
by Evgeny Solovyov
::
Rate this Message:
Is there any better way to configure a system to encrypt N-disk with passphrase for using under zfs as write in loader.conf following:
geom_eli_load="YES" geli_da0p1_keyfile0_load="YES" geli_da0p1_keyfile0_type="da0p1:geli_keyfile0" geli_da0p1_keyfile0_name="/boot/keys/da0.key" geli_da2p1_keyfile0_load="YES" geli_da2p1_keyfile0_type="da2p1:geli_keyfile0" geli_da2p1_keyfile0_name="/boot/keys/da2.key" ... geli_da<N>p1_keyfile0_load="YES" geli_da<N>p1_keyfile0_type="da<N>p1:geli_keyfile0" geli_da<N>p1_keyfile0_name="/boot/keys/da<N>.key" The problem is we must enter the passphrase N-times. Thanks. Evgeny Solovyov -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser _______________________________________________ freebsd-geom@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "freebsd-geom-unsubscribe@..." |
|
|
Re: geom_eli, N disks, zfs
by Alaksiej C
::
Rate this Message:
You can allocate one small disk/slice to be encrypted with passphrase
(and - if you like - with keyfile(s) too). Inside of it you will store keyfiles for other disks, which should be encrypted without using passphrase(s). In such configuration it's necessary to know passphrase to unlock any disk, but you need to type it only once. P.S. And, actually, I think your question is fit better for freebsd-questions@. On Mon, Sep 21, 2009 at 5:38 PM, Evgeny Solovyov <a.n.s.i@...> wrote: > Is there any better way to configure a system to encrypt N-disk with passphrase for using under zfs as write in loader.conf following: > > geom_eli_load="YES" > geli_da0p1_keyfile0_load="YES" > geli_da0p1_keyfile0_type="da0p1:geli_keyfile0" > geli_da0p1_keyfile0_name="/boot/keys/da0.key" > > geli_da2p1_keyfile0_load="YES" > geli_da2p1_keyfile0_type="da2p1:geli_keyfile0" > geli_da2p1_keyfile0_name="/boot/keys/da2.key" > > ... > > geli_da<N>p1_keyfile0_load="YES" > geli_da<N>p1_keyfile0_type="da<N>p1:geli_keyfile0" > geli_da<N>p1_keyfile0_name="/boot/keys/da<N>.key" > > > The problem is we must enter the passphrase N-times. > > Thanks. > > Evgeny Solovyov > -- > Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3 - > sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser > _______________________________________________ > freebsd-geom@... mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@..." > freebsd-geom@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "freebsd-geom-unsubscribe@..." |
|
|
Re: geom_eli, N disks, zfs
by Pete French-2
::
Rate this Message:
> Is there any better way to configure a system to encrypt N-disk with passphrase for using under zfs as write in loader.conf following:
I use a very short separate partition as the keyfile, decrypt that once and then use it to decrypt the others. My rc.conf looks like this: geli_autodetach="NO" geli_devices="ad4s1e ad6 ad8" geli_ad6_flags="-p -k /dev/ad4s1e.eli" geli_ad8_flags="-p -k /dev/ad4s1e.eli" which is a bit shorter than yours :-) ad4s1 is 5 sectors (i.e. 2560 bytes) hence ad4s1.eli is 2048 bytes. I initialised it with random data before encrypting the other discs and I keep a backup of the 4 sectors elsewhere just in case... -pete. _______________________________________________ freebsd-geom@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "freebsd-geom-unsubscribe@..." |
|
|
Re: geom_eli, N disks, zfs
by Evgeny Solovyov
::
Rate this Message:
> > Is there any better way to configure a system to encrypt N-disk with
> passphrase for using under zfs as write in loader.conf following: > > I use a very short separate partition as the keyfile, decrypt that > once and then use it to decrypt the others. My rc.conf looks like > this: > > geli_autodetach="NO" > geli_devices="ad4s1e ad6 ad8" > geli_ad6_flags="-p -k /dev/ad4s1e.eli" > geli_ad8_flags="-p -k /dev/ad4s1e.eli" > > which is a bit shorter than yours :-) ad4s1 is 5 sectors (i.e. 2560 > bytes) hence ad4s1.eli is 2048 bytes. I initialised it with random > data before encrypting the other discs and I keep a backup of > the 4 sectors elsewhere just in case... > Yes, it will be one solution. But your setup we must mount root-fs first to read rc.conf, then we can attach disk to initialize ZFS volume. Or? But what about zfs-only system with one zpool using all N-disks? I think it will be better if geom_eli remembers first-typed passphrase and tries it for all disks at least ones. In 99% we use the same passphrase for all disks. Don't we? Then we don't have to worry about small 5-sectors 'magic' partition. For my installation I use boot-cd. It has only boot dir with keys and loader.conf like this: geom_eli_load="YES" geli_da0p1_keyfile0_load="YES" geli_da0p1_keyfile0_type="da0p1:geli_keyfile0" geli_da0p1_keyfile0_name="/boot/keys/da0.key" geli_da1p1_keyfile0_load="YES" geli_da1p1_keyfile0_type="da1p1:geli_keyfile0" geli_da1p1_keyfile0_name="/boot/keys/da1.key" .... geli_da9p1_keyfile0_load="YES" geli_da9p1_keyfile0_type="da9p1:geli_keyfile0" geli_da9p1_keyfile0_name="/boot/keys/da9.key" zfs_load="YES" vfs.root.mountfrom="zfs:tank" Yes it is not comfortable my be stupid to type passphrase 10 times :) But with good uptime its bearable. Advantage of that installation is I have to care only about make a copy of boot-cd :) Sorry for my terrible English. Thanks. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 _______________________________________________ freebsd-geom@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "freebsd-geom-unsubscribe@..." |
|
|
Re: geom_eli, N disks, zfs
by Pete French-2
::
Rate this Message:
> Yes, it will be one solution. But your setup we must mount root-fs first to read rc.conf, then we can attach disk to initialize ZFS volume. Or?
Yes, this is true - but then I only encrypt the drives which have sensetive data on them. My boot drive doesnt come under that heading, though all the data is then mounted from an encrypted zpool. > But what about zfs-only system with one zpool using all N-disks? I havent though about that - I have two zpools, one unencrpted on the boot drive, and then a pair of mirrored encrypted drives for the rest. I never quite saw the mileage in encrypting the boot device really - as long as the actual data is protected then I am happy. -pete. _______________________________________________ freebsd-geom@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "freebsd-geom-unsubscribe@..." |
|
|
Re: geom_eli, N disks, zfs
by Evgeny Solovyov
::
Rate this Message:
> > But what about zfs-only system with one zpool using all N-disks?
> > I havent though about that - I have two zpools, one unencrpted on the boot > drive, and then a pair of mirrored encrypted drives for the rest. I never > quite saw the mileage in encrypting the boot device really - as long as > the actual data is protected then I am happy. Ups! we cannot use more then one disk in zfs root pool. Only mirror is supported. No stripe no Raidz. :( Then your configuration is the best for me. -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser _______________________________________________ freebsd-geom@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "freebsd-geom-unsubscribe@..." |
| Free embeddable forum powered by Nabble | Forum Help |
