GELI devices produced with 9.0+ fail when mounted on 8.2, etc?

[Garrett Cooper]

On Oct 16, 2011, at 7:51 PM, Xin LI wrote:

> On Sun, Oct 16, 2011 at 7:43 PM, Garrett Cooper <yanegomi at gmail.com> wrote:
>> On Oct 16, 2011, at 5:32 PM, Xin LI wrote:
>> 
>>> On Sun, Oct 16, 2011 at 5:01 PM, Garrett Cooper <yanegomi at gmail.com> wrote:
>>> [...]
>>>>        The attach will fail with the following message:
>>>> 
>>>> geli: MD5 hash mismatch for /dev/md0.
>>> 
>>> I'm pretty sure that this is from userland, and because FreeBSD 9.x
>>> have support of GELI metadata version 6, while 8.2 have support up to
>>> metadata version 5.  It's not a regression IMHO.
>> 
>> In other words this is a design flaw, because geli metadata is only forwards compatible. One of FreeBSD's claims to fame is its backwards compatibility -- why aren't geom developers adhering to this?
> 
> Backward compatibility is that you can expect what's working in an
> older version of FreeBSD would just work on a newer version of
> FreeBSD, not the contrary.

	Perhaps, but the fact that this behavior / set of expectations isn't clearly called out in the geli manpage -- and the fact that there isn't official versioning (or at the very least this isn't made a requirement based on the output above) associated with each metadata format is a fault that should be corrected. Otherwise, how can GELI be considered a viable mechanism for encrypting data across multiple versions of FreeBSD? It seems very shortsighted that there isn't at least a mechanism for reading -- or at least rejecting -- later versions of metadata in an intuitive manner.
	FWIW if you use geli from an earlier version of FreeBSD (hint: chroot, jail), it does the right thing.. which means that I have a means for producing encrypted images on later versions of FreeBSD now. Nevertheless, having to do so in such a roundabout manner is annoying and I'm sure I won't be the only one that will be affected by this.
Thanks,
-Garrett