geli mirror with -a won't format

Pawel Jakub Dawidek pjd at FreeBSD.org
Tue Feb 27 15:15:26 UTC 2007 

On Tue, Feb 27, 2007 at 02:21:59PM +0100, Christian Baer wrote:
> Hello there, peeps!
> 
> I have been trying to create a filesystem for paranoid people like
> myself. :-) What I want to make is this:
> 
> - mirror (two partitions with gmirror)
> - geli with -a on that
> 
> I am not expecting anyone to manipulate my system. My data is far too
> unimportant (to other people) for that. But the file systems will
> contain stuff that is *very* important to me and I am hoping that -a
> will give me an early warning if the data becomes corrupt due to
> hardware failure. If I got the whole thing with -a wrong, then *my*
> problem is solved, as I won't be using -a. :-) But it could very well be
> an issue for other people.
> 
> The commands I used are these (with the replies from the system):
> 
>   sunny# geli init -v -s 4096 -K - -a HMAC/SHA256 -e blowfish -l 448 -P /dev/mirror/home
>   Metadata value stored on /dev/mirror/home.
>   Done.
>   sunny# geli attach -v -p -k - /dev/mirror/home
>   Attched to /dev/mirror/home.
>   Done.
> 
> Note: The keyfile in both cases is created by a script and piped to geli.
> 
> Now strangely, this looks ok so far. But it isn't. :-/ If I use the init
> without the -a I get this in /var/log/messages:
> 
>  kernel: GEOM_ELI: Device mirror/home.eli created.
>  kernel: GEOM_ELI: Encryption: Blowfish-CBC 448
>  kernel: GEOM_ELI:     Crypto: software
> 
> I can do a newfs, mount the provider and work with it. That all stops
> when I activate authentication when initialising the provider (as shown
> in the comman above). /var/log/messages gets really messy then:
> 
>  kernel: GEOM_ELI: Device mirror/home.eli created.
>  kernel: GEOM_ELI: Encryption: Blowfish-CBC 448
>  kernel: GEOM_ELI:  Integrity: HMAC/SHA256
>  kernel: GEOM_ELI:     Crypto: software
>  kernel: GEOM_ELI: mirror/home.eli:
>  kernel: 4096 bytes corrupte
>  kernel: d at offset
[...]

When you only setup data authentication, geli expect authenticated data
from now on, but the data is not yet "signed". Try clearing disk first
by doing:

	# dd if=/dev/zero of=/dev/mirror/home.eli bs=1m

(you probably don't need to clear entire disk, but I don't want to guess
which sectors exactly)

It is better to use /dev/random instead of /dev/zero, but probably
slower.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20070227/81e35164/attachment.pgp

More information about the freebsd-geom mailing list