ZFS Encryption with GELI for only /opt partition

icameto icameto icameto at gmail.com
Thu Jun 21 09:07:22 UTC 2012 

Hi everyone,

I have some problems with ZFS encryption and GELI. I used ZFS for /opt
partition(da1.eli which is encrypted form of seperate  da1 disk ).  And I
want to encrypt the /opt partition by using GELI. My disks states' like
below

*# kldstat*
Id Refs Address            Size     Name
 1   15 0xffffffff80100000 c9fe20   kernel
 2    1 0xffffffff80da0000 1ad0e0   zfs.ko
 3    2 0xffffffff80f4e000 3a68     opensolaris.ko
 4    1 0xffffffff80f52000 1cdc0    geom_eli.ko
 5    2 0xffffffff80f6f000 2b0b8    crypto.ko
 6    2 0xffffffff80f9b000 dc40     zlib.ko


*# cat /etc/rc.conf | grep  geli *
geli_devices="da1"
geli_da1_flags="-k /root/da1.key"
#geli_detach="NO"


*# zpool status*
  pool: opt
 state: ONLINE
 scrub: none requested
config:

    NAME        STATE     READ WRITE CKSUM
    opt         ONLINE       0     0     0
      da1.eli   ONLINE       0     0     0

errors: No known data errors

*# geli status*
   Name  Status  Components
da1.eli  ACTIVE  da1

*# df -h*
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/da0s1a    9.7G    280M    8.6G     3%    /
devfs          1.0K    1.0K      0B   100%    /dev
/dev/da0s1d     15G    734M     14G     5%    /usr
opt            7.8G    120K    7.8G     0%    /opt


*# geli detach da1.eli*
geli: Cannot destroy device da1.eli (error=16).

*# zfs unmount -a*

*# df -h*
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/da0s1a    9.7G    280M    8.6G     3%    /
devfs          1.0K    1.0K      0B   100%    /dev
/dev/da0s1d     15G    734M     14G     5%    /usr

*# geli detach da1.eli*
geli: Cannot destroy device da1.eli (error=16).

When I use "zfs mount -a" command there must be prompted for entering
passphrase, but it immediately mounted by zfs without prompting anything.

*# zfs mount -a*

*# df -h*
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/da0s1a    9.7G    280M    8.6G     3%    /
devfs          1.0K    1.0K      0B   100%    /dev
/dev/da0s1d     15G    734M     14G     5%    /usr
opt            7.8G    120K    7.8G     0%    /opt


But i want to be able to detach encrypted device and remove that from zpool
as cannot access by anyone. But I got an error when i try to detach the
device (opt partition) . And I can still access the disk on ZFS pool. Isn't
it strange buddies ?

Briefly, Is there any solution to detach and unmount encrypted disk for
only /opt partition(which is in ZFS Pool). Could you please give me advice
on this progress ?

More information about the freebsd-fs mailing list