data integrity verification using geli
Pawel Jakub Dawidek
pjd at FreeBSD.org
Fri Jun 10 05:32:13 UTC 2011
On Thu, Jun 09, 2011 at 10:51:18PM -0400, Robert Simmons wrote:
> Does data integrity verification work if I encrypt a partition using
> geli(8)? When I created a provider, I just happened to peek at the
> dmesg and I noticed a large number of errors reported after creating
> the eli device. All are variations of the following:
> GEOM_ELI: ad6p4.eli: 512 bytes corrupted at offset 3221224960
> GEOM_ELI: ad6p4.eli: 8192 bytes corrupted at offset 65536
This is because the data is not yet initialized. You have some random
data that surely are not properly signed. In the example section of
geli(8) manual page you can find that there is a step to initialize the
provider's data:
# dd if=/dev/random of=/dev/da0.eli bs=1m
This way GELI has a chance to sign all the blocks.
I guess it would be good to advise this step after 'geli init' the same
way we inform about backups.
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://yomoli.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20110610/8df6dc8a/attachment.pgp
More information about the freebsd-geom
mailing list