geli authentication algo and newfs weirdness

Vinny vinny-mail-01+f.questions20080919 at palaceofretention.ca
Sat Sep 20 02:53:30 UTC 2008


Hello Everyone,

I've been reading up on geli and decided I wanted to
use data authentication.  This involves the -a switch
on the geli init command.  Here's what I've found:

===== No authentication (the disk size is correct @ 152G):

the/root{143}~# geli init  da1
Enter new passphrase:
Reenter new passphrase:
the/root{144}~# geli attach da1
Enter passphrase:

the/root{147}~# newfs -N /dev/da1.eli
/dev/da1.eli: 152627.8MB (312581804 sectors) block size 16384, fragment 
size 2048
         using 831 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
  160, 376512, 752864, ...

the/root{148}~# newfs  /dev/da1.eli
/dev/da1.eli: 152627.8MB (312581804 sectors) block size 16384, fragment 
size 2048
         using 831 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
  160, 376512, 752864, 1129216, ...

===== With hmac/sha256 (or any other) authentication
(small disk size 76G) :

the/root{156}~# geli init -a hmac/sha256 /dev/da1
Enter new passphrase:
Reenter new passphrase:
the/root{157}~#
the/root{157}~# geli attach da1
Enter passphrase:

the/root{159}~# newfs -N /dev/da1.eli
/dev/da1.eli: 76313.9MB (156290900 sectors) block size 16384, fragment 
size 2048
         using 416 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
  160, 376512, 752864, ...

the/root{163}~# newfs  /dev/da1.eli
/dev/da1.eli: 76313.9MB (156290900 sectors) block size 16384, fragment 
size 2048
         using 416 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
newfs: can't read old UFS1 superblock: read error from block device: 
Invalid argument

the/root{110}~# geli dump -v da1
Metadata on da1:
      magic: GEOM::ELI
    version: 3
      flags: 0x10
      ealgo: AES-CBC
     keylen: 128
      aalgo: HMAC/SHA256
   provsize: 160041885696
sectorsize: 512
       keys: 0x01
iterations: 67988
       Salt: c708

=====

Anyone know what I've done wrong?  Is data authentication working?

Thanks!
Vinny



More information about the freebsd-questions mailing list