ZFS Encryption with GELI for only /opt partition

Fabian Keil freebsd-listen at fabiankeil.de
Fri Jun 22 10:21:16 UTC 2012 

icameto icameto <icameto at gmail.com> wrote:

> So much thanks Fabian, especially for yours quick answer and concern. I
> run "zpool export opt" and  I would like to explain it clearly. There
> will be one disk which will be used for /opt partition as encrypted.
> Previously in UFS I was able to detach the opt partition by using GEOM
> BDE module via these steps.
> *
> # kldload geom_bde
> # mkdir /etc/gbde
> # gbde init /dev/ad0s1e -i -L /etc/gbde/ad0s1e.lock
> # gbde attach /dev/ad0s1e -l /etc/gbde/ad0s1e.lock
> # newfs -U -O2 /dev/ad0s1e.bde
> # mkdir /encryptedfs
> # mount /dev/ad0s1e.bde /encryptedfs
> # gbde detach /dev/ad0s1e
> # umount /encyrptedfs*

Is the order of the last two commands correct?

I have no experience with gdbe, but I would expect
the detachment to fail if the device is still mounted.
The man page seems to at least recommend that the file
system is unmounted first as well:

| Please notice that detaching an encrypted device
| corresponds to physically removing it, do not forget
| to unmount the file system first.

> Briefly I want to be able to unmount and mount capabilities without
> harming the datasets in pool of ZFS while using ZFS with GELI for
> encyptioning purpose. And you know i m capable of unmount the
> disk(da1.bde etc. ) from /opt mount point while I was using GEOM BDE.
> When I unmounted this disk(da1.bde), I could use da1 for /opt mount
> point without any data or dataset loosing .

Maybe I misunderstand the last sentence, but I don't see how
you can mount /opt on da1 directly without corrupting data
previously written on da1.bde.

> Dear Fabian, I have tried to exporting pool from ZFS, and you right that
> now i can detach from pool. But when I tried to import the old "opt"
> pool,I'm getting a warn "cannot import 'opt': no such pool available"
> about importing process.
> 
> # geli status
>    Name  Status  Components
> da1.eli  ACTIVE  da1

How did you recreate da1.eli after detaching it?
Did you maybe initialize it again instead of simply attaching it?

> You said that ZFS and GELI are not thigtly integrated. But is that
> possible detaching and making inaccessible da1.eli device or making
> offline ZFS pool temporarily until attached properly with entering
> passphrase again for making accessible on mount point /opt (ZFS Pool)
> for this case ?

That's possible and a lot of people do it daily.

I always put a label between geli and the external device
as it makes scripting the import easier, but it should work
without the label as well.

> Finally, I can create a script which will be working like a charm. I'm
> really curios about creating encrypted ZFS pool(for opt) with attaching
> and detaching capabilities. I guess that I'm doing an error on steps or
> logical mistake. Could you please help me to handle this issue or steps ?

Without knowing the exact steps you took, I can't tell where the
problem is. Could you post the complete list of commands you used
to create da1.eli and the ZFS pool, how you exported and detached
da1.eli and how you tried to import it again?

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20120622/949082df/signature.pgp

More information about the freebsd-fs mailing list